Description

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

Remediation

References

https://github.com/vaadin/flow/pull/15885

https://vaadin.com/security/CVE-2023-25499

Related Vulnerabilities

CVE-2014-2065 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-41329 Vulnerability in maven package com.github.tomakehurst:wiremock-jre8

CVE-2023-35925 Vulnerability in maven package com.fastasyncworldedit:fastasyncworldedit-bukkit

CVE-2019-11358 Vulnerability in npm package jquery

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15to18

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory