Description
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
Remediation
References
https://github.com/vaadin/flow/pull/15885
https://vaadin.com/security/CVE-2023-25499
Related Vulnerabilities
CVE-2014-2065 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-41329 Vulnerability in maven package com.github.tomakehurst:wiremock-jre8
CVE-2023-35925 Vulnerability in maven package com.fastasyncworldedit:fastasyncworldedit-bukkit
CVE-2019-11358 Vulnerability in npm package jquery
CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15to18