Description

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.

Remediation

References

https://github.com/vaadin/flow/pull/16935

https://vaadin.com/security/cve-2023-25500

Related Vulnerabilities

CVE-2022-23458 Vulnerability in npm package tui-grid

CVE-2021-32808 Vulnerability in maven package org.webjars.npm:ckeditor4

CVE-2020-25638 Vulnerability in maven package org.hibernate:hibernate-core

CVE-2020-15138 Vulnerability in maven package org.webjars.npm:prismjs

CVE-2019-10754 Vulnerability in maven package org.apereo.cas:cas-server-support-shell

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory