Vaadin@* Security Vulnerabilities and Issues — Vaadin@* CVE List

Lucene search

VaadinVaadin*

22 matches found

CVE•added 2021/10/13 11:15 a.m.•193 views

CVE-2021-33609

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.

4.3CVSS4.4AI score0.00192EPSS

CVE•added 2021/04/23 4:15 p.m.•192 views

CVE-2021-31403

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack

4CVSS3.6AI score0.00129EPSS

CVE•added 2021/05/06 1:15 p.m.•190 views

CVE-2021-31409

Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

7.5CVSS7.3AI score0.0056EPSS

CVE•added 2021/04/23 4:15 p.m.•131 views

CVE-2019-25028

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector

6.1CVSS5.7AI score0.00376EPSS

CVE•added 2021/04/23 4:15 p.m.•120 views

CVE-2020-36320

Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

7.5CVSS7.3AI score0.0056EPSS

CVE•added 2022/05/24 3:15 p.m.•93 views

CVE-2022-29567

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of...

7.5CVSS6.2AI score0.00184EPSS

CVE•added 2021/05/05 7:15 p.m.•89 views

CVE-2021-31411

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious co...

7.8CVSS6.6AI score0.00049EPSS

CVE•added 2021/04/23 5:15 p.m.•81 views

CVE-2021-31408

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after ...

7.1CVSS6.3AI score0.00112EPSS

CVE•added 2021/04/23 4:15 p.m.•78 views

CVE-2021-31407

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

8.6CVSS7.5AI score0.01802EPSS

CVE•added 2021/04/23 4:15 p.m.•73 views

CVE-2021-31405

Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email address...

7.5CVSS7.3AI score0.00468EPSS

CVE•added 2021/04/23 4:15 p.m.•72 views

CVE-2018-25007

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.

4.3CVSS4.1AI score0.00231EPSS

CVE•added 2021/04/23 4:15 p.m.•72 views

CVE-2021-31406

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attac...

4CVSS3.6AI score0.00054EPSS

CVE•added 2021/06/24 12:15 p.m.•71 views

CVE-2021-33604

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

2.5CVSS3.9AI score0.00054EPSS

CVE•added 2021/04/23 4:15 p.m.•68 views

CVE-2020-36319

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController

6.5CVSS5AI score0.005EPSS

CVE•added 2021/04/23 4:15 p.m.•65 views

CVE-2021-31404

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18)...

4CVSS3.6AI score0.00049EPSS

CVE•added 2021/06/24 12:15 p.m.•64 views

CVE-2021-31412

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through ...

5.3CVSS5.1AI score0.00938EPSS

CVE•added 2021/04/23 4:15 p.m.•62 views

CVE-2019-25027

Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL

6.1CVSS6.2AI score0.00371EPSS

CVE•added 2021/11/02 10:15 a.m.•62 views

CVE-2021-33611

Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL

6.1CVSS6.3AI score0.00304EPSS

CVE•added 2021/04/23 4:15 p.m.•61 views

CVE-2020-36321

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.

7.5CVSS6.4AI score0.00551EPSS

CVE•added 2023/06/22 1:15 p.m.•44 views

CVE-2023-25500

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

4.3CVSS4.3AI score0.00229EPSS

CVE•added 2023/06/22 1:15 p.m.•43 views

CVE-2023-25499

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosur...

6.5CVSS5.8AI score0.00182EPSS

CVE•added 2011/01/20 7:0 p.m.•39 views

CVE-2011-0509

Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the index page.

4.3CVSS5.8AI score0.00504EPSS