GitHub Advisory DatabaseGHSA-C99R-67X4-WHJ6Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19
1.2 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:N/C:P/I:N/A:N
2.5 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
23.5%
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| com.vaadin:vaadin-bom | ge | 15.0.0 | |
| com.vaadin:vaadin-bom | le | 19.0.8 | |
| com.vaadin:vaadin-bom | le | 14.6.1 |
Related
1.2 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:N/C:P/I:N/A:N
2.5 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
23.5%