Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

Remediation

References

https://github.com/vaadin/flow/pull/16935

https://vaadin.com/security/cve-2023-25500

Related Vulnerabilities

CVE-2023-34455 Vulnerability in maven package org.xerial.snappy:snappy-java

CVE-2015-0250 Vulnerability in maven package org.apache.xmlgraphics:batik-transcoder

CVE-2022-29256 Vulnerability in npm package sharp

CVE-2022-21802 Vulnerability in npm package grapesjs

CVE-2015-0250 Vulnerability in maven package batik:batik-transcoder

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory