4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
36.1%
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL. See CWE-81: Improper Neutralization of Script in an Error Message Web Page Description Due to missing output sanitization, the default RouteNotFoundError view could be used to execute unwanted JavaScript in a user’s browser if the user opens a specially crafted URL. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 10.0.0 - 10.0.13 Upgrade to 10.0.14 or newer 10 version Vaadin 11 - 12 No longer supported. Upgrade to 13.0.6 or newer version Vaadin 13.0.0 - 13.0.5 Upgrate to 13.0.6 or newer version Please note that Vaadin versions 11-13 and 15-17 are no longer supported and you should update either to the latest 14 or 18 version respectively. Also, updating to Vaadin 7 is only available to extended-support customers. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:flow-server 1.0.0 - 1.0.10 ≥ 1.0.11 com.vaadin:flow-server 1.1 - 1.3 N/A com.vaadin:flow-server 1.4.0 - 1.4.2 ≥ 1.4.3 References PR: https://github.com/vaadin/flow/pull/5498
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
36.1%