Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

Remediation

References

https://github.com/vaadin/flow/pull/16935

https://vaadin.com/security/cve-2023-25500

Related Vulnerabilities

CVE-2020-27223 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2020-17527 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2021-43862 Vulnerability in npm package jquery.terminal

CVE-2023-36665 Vulnerability in maven package org.webjars.npm:github-com-protobufjs-protobuf-js

CVE-2023-2798 Vulnerability in maven package net.sourceforge.htmlunit:htmlunit

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory