Description

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Remediation

References

https://vaadin.com/security/cve-2021-33604

https://github.com/vaadin/flow/pull/11099

Related Vulnerabilities

CVE-2020-7011 Vulnerability in npm package @elastic/app-search-javascript

CVE-2018-1000197 Vulnerability in maven package com.blackducksoftware.integration:blackduck-hub

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-record-serialization-services

CVE-2020-2124 Vulnerability in maven package com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter

CVE-2010-3718 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Low

Classification

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Patch Third Party Advisory NVD-CWE-Other