CVE-2021-33604

CVE-2021-33604 affects Vaadin Flow Server in development mode handler. The vulnerability is caused by a URL encoding error in the development mode handler of com.vaadin:flow-server, affecting versions 2.0.0–2.6.1 (Vaadin 14.0.0–14.6.1) and 3.0.0–6.0.9 (Vaadin 15.0.0–19.0.8). The underlying issue ...

CVE-2021-31407

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 Vaadin 12.0.0 through 14.4.9, and 6.0.0 through 6.0.1 Vaadin 19.0.0 allows attacker to access application classes and resources on the server via crafted HTTP request...

Design/Logic Flaw

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2 allows attacker to update element property values via crafted synchronization message...

Design/Logic Flaw

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 Vaadin 12.0.0 through 14.4.9, and 6.0.0 through 6.0.1 Vaadin 19.0.0 allows attacker to access application classes and resources on the server via crafted HTTP request...

CVE-2018-25007

CVE-2018-25007 affects Vaadin Flow Server (com.vaadin:flow-server) due to a missing check in the UIDL request handler. Affected versions are 1.0.0–1.0.5, corresponding to Vaadin 10.0.0–10.0.7 and 11.0.0–11.0.2. The root cause is an unchecked UIDL synchronization message, which permits an attacker...

Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2 allows attacker to update element property values via crafted synchronization message. - https://vaadin.com/security/cve-2018-25007...