Stored cross-site scripting in Grid component in Vaadin 7 and 8

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector. See CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Description Due to missing variable sanitation, the Grid Header Caption could be used to store malicious data and execute unwanted JavaScript in a user’s browser e.g. when untrusted users are allowed to add new grid columns that are shown to other users. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 7.0.0 - 7.7.19 Upgrade to 7.7.20 or newer 7 version (Vaadin 7 extended maintenance) Vaadin 8.0.0 - 8.8.4 Upgrade to 8.8.5 or newer 8 version Please note that updating to Vaadin 7 is only available to extended-support customers. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:vaadin-server 7.4.0 - 7.7.19 ≥ 7.7.20 com.vaadin:vaadin-server 8.0.0 - 8.8.4 ≥ 8.8.5 Credit This issue was discovered and responsibly reported by MATE Marketing Technologie. References PR: https://github.com/vaadin/framework/pull/11644 PR: https://github.com/vaadin/framework/pull/11645