Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

Remediation

References

https://github.com/vaadin/flow/pull/16935

https://vaadin.com/security/cve-2023-25500

Related Vulnerabilities

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-jdk15to18

CVE-2018-20595 Vulnerability in maven package org.hswebframework.web:hsweb-system-oauth2-client-web

CVE-2021-23926 Vulnerability in maven package org.apache.xmlbeans:xmlbeans

CVE-2023-25653 Vulnerability in maven package org.webjars.npm:node-jose

CVE-2023-26473 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory