Summary
This web application is running with the Vaadin Framework which is prone to cross-site scripting because the application fails to properly sanitize user-supplied input.
Impact
This could allow a reflected cross-site scripting attack through VaadinPortlet by making the user load a URL designed to include an error message crafted by the attacker.
Solution
Upgrade to Vaadin Framework version 7.3.7 or later For updates refer to http://www.vaadin.com/releases
Insight
This flaw exists due to proper escaping of HTML in portlet error message was not ensured.
Affected
Vaadin Framework versions from 7.0.0 up to 7.3.6
Detection
Check the version.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
- Apache Rave User Information Disclosure Vulnerability
- APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability
- Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability
- Apache Archiva Multiple Vulnerabilities