PT-2021-8844 · Vaadin · Vaadin+1

Published

2021-04-19

Updated

2021-05-05

CVE-2018-25007

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions com.vaadin:flow-server versions 1.0.0 through 1.0.5 Vaadin versions 10.0.0 through 10.0.7 Vaadin versions 11.0.0 through 11.0.2

Description A missing check in the UIDL request handler allows an attacker to update element property values via a crafted synchronization message.

Recommendations For com.vaadin:flow-server versions 1.0.0 through 1.0.5, update to a version outside of the affected range. For Vaadin versions 10.0.0 through 10.0.7, update to a version outside of the affected range. For Vaadin versions 11.0.0 through 11.0.2, update to a version outside of the affected range. As a temporary workaround, consider restricting access to the UIDL request handler until a patch is available.

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754

Related Identifiers

CVE-2018-25007

GHSA-3H5R-928V-MXHH

GHSA-JMX8-355M-8VWH

Affected Products

Vaadin

Com.Vaadin:Flow-Server

PT-2021-8844 · Vaadin · Vaadin+1

CVE-2018-25007

Weakness Enumeration

Related Identifiers

Affected Products

References · 9