1.2 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:N/C:P/I:N/A:N
2.5 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
23.5%
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. See CWE-172: Encoding Error Description Improper URL sanitation with the frontend development server made it possible for attacker to gain access to a locally running Vaadin application in the browser by executing cross-site scripting from another web page the developer has opened. To exploit this vulnerability, the following is required: There is an application running on the system with the frontend development server started and the application contains some sensitive data like a production data base clone; The attacker is aware of application running on the developerβs system, what data it provides and the Vaadin version it is running on; The developer opens an external site that executes the malicious script. This vulnerability is not exploitable on deployed applications, but only for development time on developerβs machine. Affected products and mitigation Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Mitigation Vaadin 14.0.0 - 14.6.1 Upgrade to 14.6.2 or newer 14 version Vaadin 15 - 18 No longer supported. Upgrade to 19.0.9 or newer version Vaadin 19.0.0 - 19.0.8 Upgrade to 19.0.9 or newer 19 version Please note that Vaadin versions 15-18 are no longer supported and you should update either to the latest 19 version. Artifacts Maven coordinates Vulnerable version Fixed version com.vaadin:flow-server 2.0.0 - 2.6.1 β₯ 2.6.2 com.vaadin:flow-server 3.0 - 5.0 N/A com.vaadin:flow-server 6.0.0 - 6.0.9 β₯ 6.0.10 References PR: https://github.com/vaadin/flow/pull/11099
1.2 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:N/C:P/I:N/A:N
2.5 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
23.5%