Lucene search
K

11 matches found

CVE
CVE
added 2021/05/05 6:15 p.m.105 views

CVE-2021-31411

The CVE-2021-31411 issue affects com.vaadin:flow-server in these ranges: 2.0.9–2.5.2 (Vaadin 14.0.3–14.5.2), 3.0 before 6.0 (Vaadin 15 before 19), and 6.0.0–6.0.5 (Vaadin 19.0.0–19.0.4). Its root cause is insecure temporary directory usage during frontend rebuilds, allowing local users to inject ...

7.8CVSS6.6AI score0.00231EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.103 views

CVE-2021-31407

Vulnerability: CVE-2021-31407 affects Vaadin’s OSGi integration in flow-server. Affected: com.vaadin:flow-server versions 1.2.0–2.4.7 (Vaadin 12.0.0–14.4.9) and 6.0.0–6.0.1 (Vaadin 19.0.0). Description: allows an attacker to access server-side application classes and resources via a crafted HTTP ...

8.6CVSS7.5AI score0.02382EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.96 views

CVE-2021-31405

The CVE pertains to Vaadin text-field-flow’s EmailField regex validation, which allows a ReDoS-style resource exhaustion by submitting malicious email addresses. Affected are vaadin-text-field-flow versions 2.0.4–2.3.2 (Vaadin 14.0.6–14.4.3) and 3.0.0–4.0.2 (Vaadin 15.0.0–17.0.10). The root cause...

7.5CVSS7.3AI score0.01127EPSS
CVE
CVE
added 2021/04/23 4:7 p.m.96 views

CVE-2021-31408

The CVE-2021-31408 issue affects vaadin:flow-client: versions 5.0.0 prior to 6.0.0 (Vaadin 18) and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3). The root cause is an incorrect HTTP method in Authentication.logout() combined with Spring Security CSRF protection, which, according to the provi...

7.1CVSS6.3AI score0.00322EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.88 views

CVE-2021-31406

The CVE-2021-31406 entry concerns a timing side-channel vulnerability in Vaadin. Affected products/versions are: com.vaadin:flow-server 3.0.0–5.0.3 (Vaadin 15.0.0–18.0.6) and com.vaadin:fusion-endpoint 6.0.0 (Vaadin 19.0.0). The root cause is a non-constant-time comparison of CSRF tokens in the e...

4CVSS3.6AI score0.00211EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.87 views

CVE-2020-36319

CVE-2020-36319 affects Vaadin flow-server (com.vaadin:flow-server) versions 3.0.0–3.0.5 (Vaadin 15.0.0–15.0.4). The root cause is an insecure configuration of the default ObjectMapper, which may disclose sensitive data if the application also uses components like @RestController. The CVE is docum...

6.5CVSS5AI score0.01001EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.85 views

CVE-2018-25007

CVE-2018-25007 affects Vaadin Flow Server (com.vaadin:flow-server) due to a missing check in the UIDL request handler. Affected versions are 1.0.0–1.0.5, corresponding to Vaadin 10.0.0–10.0.7 and 11.0.0–11.0.2. The root cause is an unchecked UIDL synchronization message, which permits an attacker...

4.3CVSS4.1AI score0.00574EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.84 views

CVE-2020-36321

CVE-2020-36321 affects the Vaadin flow-server: vulnerable versions are 2.0.0–2.4.1 (Vaadin 14.0.0–14.4.2) and 3.0 prior to 5.0 (Vaadin 15 prior to 18). The flaw is improper URL validation in the development mode handler, enabling an attacker to request arbitrary files outside the intended fronten...

7.5CVSS6.4AI score0.01211EPSS
CVE
CVE
added 2021/06/24 11:33 a.m.82 views

CVE-2021-31412

The CVE-2021-31412 entry describes an information-disclosure issue in Vaadin Flow Server’s default RouteNotFoundError view. The vulnerability arises from improper sanitization of the path, enabling a network attacker to enumerate all available routes when the application runs in production mode a...

5.3CVSS5.1AI score0.01318EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.81 views

CVE-2019-25027

The CVE-2019-25027 issue affects com.vaadin:flow-server, specifically the default RouteNotFoundError view. The vulnerability arises from missing output sanitization and affects versions 1.0.0–1.0.10 (Vaadin 10.0.0–10.0.13) and 1.1.0–1.4.2 (Vaadin 11.0.0–13.0.5), allowing an attacker to execute ma...

6.1CVSS6.2AI score0.00668EPSS
CVE
CVE
added 2021/04/23 4:5 p.m.80 views

CVE-2021-31404

The CVE-2021-31404 issue affects com.vaadin:flow-server (Vaadin) where the UIDL request handler uses a non-constant-time comparison for CSRF tokens. This timing discrepancy enables an attacker to guess the security token. Affected versions span Vaadin Flow Server 1.0.0–1.0.13 (Vaadin 10.0.0–10.0....

4CVSS3.6AI score0.0021EPSS