CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

19 matches found

Prion•added 2023/06/22 1:15 p.m.•19 views

Information disclosure

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information...

4CVSS6.2AI score0.00243EPSS

Exploits0References2Affected Software1

Github Security Blog•added 2021/10/13 6:56 p.m.•23 views

Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 Vaadin 10.0.0 through 10.0.18, 1.1.0 prior to 2.0.0 Vaadin 11 prior to 14, 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, and 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0....

5.3CVSS2.5AI score0.00686EPSS

Exploits0References3Affected Software1

Cvelist•added 2021/06/24 11:16 a.m.•20 views

CVE-2021-33604 Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0.8 allows local user to execute arbitrary JavaScript code by opening crafted URL in browser...

2.5CVSS4.5AI score0.00054EPSS

Exploits0References2

Vaadin•added 2021/06/24 12:0 a.m.•31 views

Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19

2.5CVSS1.7AI score0.00054EPSS

Exploits0References1Affected Software2

NVD•added 2021/05/05 7:15 p.m.•13 views

CVE-2021-31411

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 Vaadin 14.0.3 through Vaadin 14.5.2, 3.0 prior to 6.0 Vaadin 15 prior to 19, and 6.0.0 through 6.0.5 Vaadin 19.0.0 through 19.0.4 allows local users to inject malicious code...

7.8CVSS0.00049EPSS

Exploits0References2

NVD•added 2021/04/23 4:15 p.m.•14 views

CVE-2020-36321

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 Vaadin 14.0.0 through 14.4.2, and 3.0 prior to 5.0 Vaadin 15 prior to 18 allows attacker to request arbitrary files stored outside of intended frontend resources folder...

7.5CVSS0.00551EPSS

Exploits0References2

NVD•added 2021/04/23 4:15 p.m.•15 views

CVE-2021-31404

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 Vaadin 10.0.0 through 10.0.16, 1.1.0 prior to 2.0.0 Vaadin 11 prior to 14, 2.0.0 through 2.4.6 Vaadin 14.0.0 through 14.4.6, 3.0.0 prior to 5.0.0 Vaadin 15 prior to 18, and...

4CVSS0.00045EPSS

Exploits0References2

OSV•added 2021/04/23 4:15 p.m.•18 views

CVE-2020-36321

7.5CVSS6.5AI score0.00551EPSS

Exploits0References2

Prion•added 2021/04/23 4:15 p.m.•15 views

Cross site request forgery (csrf)

1.9CVSS3.8AI score0.00045EPSS

Exploits0References2Affected Software2

CVE•added 2021/04/23 4:5 p.m.•84 views

CVE-2021-31406

The CVE-2021-31406 entry concerns a timing side-channel vulnerability in Vaadin. Affected products/versions are: com.vaadin:flow-server 3.0.0–5.0.3 (Vaadin 15.0.0–18.0.6) and com.vaadin:fusion-endpoint 6.0.0 (Vaadin 19.0.0). The root cause is a non-constant-time comparison of CSRF tokens in the e...

4CVSS3.6AI score0.00054EPSS

Exploits0References2Affected Software2

Cvelist•added 2021/04/23 4:5 p.m.•14 views

CVE-2021-31406 Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 Vaadin 15.0.0 through 18.0.6, and com.vaadin:fusion-endpoint version 6.0.0 Vaadin 19.0.0 allows attacker to guess a security token for Fusion endpoints via timing attack...

4CVSS4.6AI score0.00054EPSS

Exploits0References2

Cvelist•added 2021/04/23 4:5 p.m.•16 views

CVE-2021-31405 Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17

Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 Vaadin 14.0.6 through 14.4.3, and 3.0.0 through 4.0.2 Vaadin 15.0.0 through 17.0.10 allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses...

7.5CVSS7.6AI score0.00468EPSS

Exploits0References2

Cvelist•added 2021/04/23 4:5 p.m.•19 views

CVE-2020-36319 Potential sensitive data exposure in applications using Vaadin 15

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 Vaadin 15.0.0 through 15.0.4 may expose sensitive data if the application also uses e.g. @RestController...

3.1CVSS6.4AI score0.0039EPSS

Exploits0References3

Cvelist•added 2021/04/23 4:5 p.m.•13 views

CVE-2020-36321 Directory traversal in development mode handler in Vaadin 14 and 15-17

5.9CVSS7.4AI score0.00551EPSS

Exploits0References2

Github Security Blog•added 2021/04/19 2:50 p.m.•47 views

Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

4CVSS3.6AI score0.00054EPSS

Exploits0References5Affected Software1

OSV•added 2021/04/19 2:48 p.m.•25 views

GHSA-76F4-FW33-6J2V Potential sensitive data exposure in applications using Vaadin 15