Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13

Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL. See CWE-81: Improper Neutralization of Script in an Error Message Web Page Description Due to missing output sanitization, the default RouteNotFoundError view could be used to execute unwanted JavaScript in a user’s browser if the user opens a specially crafted URL. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 10.0.0 - 10.0.13 Upgrade to 10.0.14 or newer 10 version Vaadin 11 - 12 No longer supported. Upgrade to 13.0.6 or newer version Vaadin 13.0.0 - 13.0.5 Upgrate to 13.0.6 or newer version Please note that Vaadin versions 11-13 and 15-17 are no longer supported and you should update either to the latest 14 or 18 version respectively. Also, updating to Vaadin 7 is only available to extended-support customers. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:flow-server 1.0.0 - 1.0.10 ≥ 1.0.11 com.vaadin:flow-server 1.1 - 1.3 N/A com.vaadin:flow-server 1.4.0 - 1.4.2 ≥ 1.4.3 References PR: https://github.com/vaadin/flow/pull/5498