Description

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Remediation

References

https://github.com/vaadin/flow/pull/11099

https://vaadin.com/security/cve-2021-33604

Related Vulnerabilities

CVE-2021-41182 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui

CVE-2023-45133 Vulnerability in npm package @babel/traverse

CVE-2022-21227 Vulnerability in npm package sqlite3

CVE-2023-26487 Vulnerability in maven package org.webjars.npm:vega

CVE-2020-1945 Vulnerability in maven package org.apache.ant:ant

Severity

Low

Classification

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Tags

Patch Third Party Advisory Vendor Advisory NVD-CWE-Other