Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

Remediation

References

https://github.com/vaadin/flow/pull/16935

https://vaadin.com/security/cve-2023-25500

Related Vulnerabilities

CVE-2021-21388 Vulnerability in npm package systeminformation

CVE-2019-12814 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-35155 Vulnerability in maven package org.xwiki.platform:xwiki-platform-sharepage-api

CVE-2020-7663 Vulnerability in maven package org.webjars.npm:websocket-extensions

CVE-2020-26870 Vulnerability in maven package org.webjars.bower:dompurify

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory