Summary
This web application is running with the Vaadin Framework which is prone to cross-site scripting because the application fails to properly sanitize user-supplied input.
Impact
This could allow a reflected cross-site scripting attack through VaadinPortlet by making the user load a URL designed to include an error message crafted by the attacker.
Solution
Upgrade to Vaadin Framework version 7.3.7 or later For updates refer to http://www.vaadin.com/releases
Insight
This flaw exists due to proper escaping of HTML in portlet error message was not ensured.
Affected
Vaadin Framework versions from 7.0.0 up to 7.3.6
Detection
Check the version.
References
Updated on 2015-03-25