11 matches found
CVE-2021-31411
The CVE-2021-31411 issue affects com.vaadin:flow-server in these ranges: 2.0.9–2.5.2 (Vaadin 14.0.3–14.5.2), 3.0 before 6.0 (Vaadin 15 before 19), and 6.0.0–6.0.5 (Vaadin 19.0.0–19.0.4). Its root cause is insecure temporary directory usage during frontend rebuilds, allowing local users to inject ...
CVE-2021-31407
Vulnerability: CVE-2021-31407 affects Vaadin’s OSGi integration in flow-server. Affected: com.vaadin:flow-server versions 1.2.0–2.4.7 (Vaadin 12.0.0–14.4.9) and 6.0.0–6.0.1 (Vaadin 19.0.0). Description: allows an attacker to access server-side application classes and resources via a crafted HTTP ...
CVE-2021-31405
The CVE pertains to Vaadin text-field-flow’s EmailField regex validation, which allows a ReDoS-style resource exhaustion by submitting malicious email addresses. Affected are vaadin-text-field-flow versions 2.0.4–2.3.2 (Vaadin 14.0.6–14.4.3) and 3.0.0–4.0.2 (Vaadin 15.0.0–17.0.10). The root cause...
CVE-2021-31408
The CVE-2021-31408 issue affects vaadin:flow-client: versions 5.0.0 prior to 6.0.0 (Vaadin 18) and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3). The root cause is an incorrect HTTP method in Authentication.logout() combined with Spring Security CSRF protection, which, according to the provi...
CVE-2021-31406
The CVE-2021-31406 entry concerns a timing side-channel vulnerability in Vaadin. Affected products/versions are: com.vaadin:flow-server 3.0.0–5.0.3 (Vaadin 15.0.0–18.0.6) and com.vaadin:fusion-endpoint 6.0.0 (Vaadin 19.0.0). The root cause is a non-constant-time comparison of CSRF tokens in the e...
CVE-2020-36319
CVE-2020-36319 affects Vaadin flow-server (com.vaadin:flow-server) versions 3.0.0–3.0.5 (Vaadin 15.0.0–15.0.4). The root cause is an insecure configuration of the default ObjectMapper, which may disclose sensitive data if the application also uses components like @RestController. The CVE is docum...
CVE-2018-25007
CVE-2018-25007 affects Vaadin Flow Server (com.vaadin:flow-server) due to a missing check in the UIDL request handler. Affected versions are 1.0.0–1.0.5, corresponding to Vaadin 10.0.0–10.0.7 and 11.0.0–11.0.2. The root cause is an unchecked UIDL synchronization message, which permits an attacker...
CVE-2020-36321
CVE-2020-36321 affects the Vaadin flow-server: vulnerable versions are 2.0.0–2.4.1 (Vaadin 14.0.0–14.4.2) and 3.0 prior to 5.0 (Vaadin 15 prior to 18). The flaw is improper URL validation in the development mode handler, enabling an attacker to request arbitrary files outside the intended fronten...
CVE-2021-31412
The CVE-2021-31412 entry describes an information-disclosure issue in Vaadin Flow Server’s default RouteNotFoundError view. The vulnerability arises from improper sanitization of the path, enabling a network attacker to enumerate all available routes when the application runs in production mode a...
CVE-2019-25027
The CVE-2019-25027 issue affects com.vaadin:flow-server, specifically the default RouteNotFoundError view. The vulnerability arises from missing output sanitization and affects versions 1.0.0–1.0.10 (Vaadin 10.0.0–10.0.13) and 1.1.0–1.4.2 (Vaadin 11.0.0–13.0.5), allowing an attacker to execute ma...
CVE-2021-31404
The CVE-2021-31404 issue affects com.vaadin:flow-server (Vaadin) where the UIDL request handler uses a non-constant-time comparison for CSRF tokens. This timing discrepancy enables an attacker to guess the security token. Affected versions span Vaadin Flow Server 1.0.0–1.0.13 (Vaadin 10.0.0–10.0....