Vaadin Framework Src-attribute Cross Site Scripting Vulnerability Network Vulnerability

Summary

This web application is running with the Vaadin Framework which is prone to cross-site scripting because the application fails to properly sanitize user-supplied input.

Impact

This could potentially, in certain situations, allow a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.

Solution

Upgrade to Vaadin Framework version 6.8.14 or later For updates refer to http://www.vaadin.com/releases

Insight

Proper escaping of the src-attribute on the client side was not ensured when using icons for OptionGroup items.

Affected

Vaadin Framework versions from 6.0.0 up to 6.8.13

Detection

Check the version.

References

http://www.vaadin.com/download/release/6.8/6.8.14/release-notes.html

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Tomcat Login Constraints Security Bypass Vulnerability
Apache Tomcat RemoteFilterValve Security Bypass Vulnerability
Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
Apache Tomcat SecurityConstraints Security Bypass Vulnerability

Vaadin Framework src-attribute Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities