PT-2021-20228 · Vaadin · Vaadin+1

Pleku

Published

2021-06-24

Updated

2021-07-01

CVE-2021-33604

CVSS v3.1

2.5

Low

Vector

AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions com.vaadin:flow-server versions 2.0.0 through 2.6.1 com.vaadin:flow-server versions 3.0.0 through 6.0.9

Description A URL encoding error in the development mode handler allows a local user to execute arbitrary JavaScript code by opening a crafted URL in a browser. This issue affects Vaadin versions 14.0.0 through 14.6.1 and 15.0.0 through 19.0.8.

Recommendations For com.vaadin:flow-server versions 2.0.0 through 2.6.1, update to a version outside of this range to resolve the issue. For com.vaadin:flow-server versions 3.0.0 through 6.0.9, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the development mode handler until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-172

Related Identifiers

CVE-2021-33604

GHSA-8VFW-V2JV-9HWC

GHSA-C99R-67X4-WHJ6

Affected Products

Vaadin

Com.Vaadin:Flow-Server

PT-2021-20228 · Vaadin · Vaadin+1

CVE-2021-33604

Weakness Enumeration

Related Identifiers

Affected Products

References · 9