Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

Remediation

References

https://github.com/vaadin/flow/pull/16935

https://vaadin.com/security/cve-2023-25500

Related Vulnerabilities

CVE-2022-36906 Vulnerability in maven package org.jenkins-ci.plugins:openshift-deployer

CVE-2023-26478 Vulnerability in maven package org.xwiki.platform:xwiki-platform-store-filesystem-oldcore

CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

CVE-2023-4302 Vulnerability in maven package org.jenkins-ci.plugins:fortify

CVE-2019-10742 Vulnerability in maven package org.webjars.npm:axios

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory