Skip to main content

Vaadin

15 CVEs product

Monthly

CVE-2023-25500 Maven MEDIUM PATCH This Month

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Vaadin
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-25499 Maven MEDIUM PATCH This Month

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Vaadin
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-29567 Maven HIGH PATCH This Week

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Vaadin
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-33611 Maven MEDIUM POC PATCH This Month

Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Vaadin Vaadin Menu Bar
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-33609 Maven MEDIUM PATCH This Month

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Vaadin
NVD GitHub
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-33604 Maven LOW PATCH Monitor

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local. Rated low severity (CVSS 2.5), this vulnerability is no authentication required.

RCE Flow Server Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.3%
CVE-2021-31412 Maven MEDIUM PATCH This Month

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14),. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Flow Vaadin
NVD GitHub
CVSS 3.1
5.3
EPSS
1.3%
CVE-2021-31409 Maven HIGH PATCH This Week

Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Vaadin
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-31411 Maven HIGH PATCH This Week

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Code Injection Flow Vaadin
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-31408 Maven HIGH PATCH This Week

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity.

CSRF Java Flow Vaadin
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2021-31407 Maven HIGH PATCH This Week

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Flow Vaadin
NVD GitHub
CVSS 3.1
7.5
EPSS
2.4%
CVE-2021-31406 Maven LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version. Rated low severity (CVSS 2.5).

CSRF Flow Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.2%
CVE-2021-31405 Maven HIGH PATCH This Week

Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Flow Vaadin
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-31404 Maven LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to. Rated low severity (CVSS 2.5).

CSRF Flow Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.2%
CVE-2021-31403 Maven LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0. Rated low severity (CVSS 2.5).

CSRF Vaadin
NVD GitHub
CVSS 3.1
2.5
EPSS
0.3%
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Vaadin
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Vaadin
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Vaadin
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Vaadin Vaadin Menu Bar
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Vaadin
NVD GitHub
EPSS 0% CVSS 2.5
LOW PATCH Monitor

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local. Rated low severity (CVSS 2.5), this vulnerability is no authentication required.

RCE Flow Server Vaadin
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14),. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Flow Vaadin
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Vaadin
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Code Injection Flow Vaadin
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity.

CSRF Java Flow +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Flow Vaadin
NVD GitHub
EPSS 0% CVSS 2.5
LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version. Rated low severity (CVSS 2.5).

CSRF Flow Vaadin
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Flow Vaadin
NVD GitHub
EPSS 0% CVSS 2.5
LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to. Rated low severity (CVSS 2.5).

CSRF Flow Vaadin
NVD GitHub
EPSS 0% CVSS 2.5
LOW PATCH Monitor

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0. Rated low severity (CVSS 2.5).

CSRF Vaadin
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy