This web application is running with the Vaadin Framework which is prone to multiple cross-site scripting, information-disclosure, and security-bypass issues because the application fails to properly sanitize user-supplied input.

Successful exploitation could allow: - A remote attacker to leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. - Exploiting the information-disclosure issues allows the attacker to view local files within the context of the Web server process. - Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions.

Upgrade to Vaadin Framework version 6.6.7 or later / 6.7.0 or later For updates refer to http://www.vaadin.com/releases

Multiple flaws exists due to, - A directory traversal vulnerability through AbstractApplicationServlet.serveStaticResourcesInVAADIN() - CSRF/XSS vulnerability through separator injection - Contributory XSS: Possibility to inject HTML/javascript in system error messages - Contributory XSS: possibility for injection in certain components

Vaadin Framework versions from 6.0.0 up to 6.6.6

Check the version.

• http://www.securityfocus.com/bid/49854
• http://www.vaadin.com/download/release/6.6/6.6.7/release-notes.html
• http://www.vaadin.com/download/release/6.7/6.7.0/release-notes.html

---

Updated on 2015-03-25