Description

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Remediation

References

https://github.com/vaadin/flow/pull/11099

https://vaadin.com/security/cve-2021-33604

Related Vulnerabilities

CVE-2015-9236 Vulnerability in npm package hapi

CVE-2022-37616 Vulnerability in npm package xmldom

CVE-2023-46499 Vulnerability in npm package @evershop/evershop

CVE-2022-23464 Vulnerability in maven package com.nepxion:discovery-plugin-admin-center

CVE-2018-25007 Vulnerability in maven package com.vaadin:flow-server

Severity

Low

Classification

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Tags

Patch Third Party Advisory Vendor Advisory NVD-CWE-Other