GHSA-c99r-67x4-whj6

Source

https://github.com/advisories/GHSA-c99r-67x4-whj6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-c99r-67x4-whj6/GHSA-c99r-67x4-whj6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c99r-67x4-whj6

Aliases

CVE-2021-33604

Published

2021-06-28T16:56:07Z

Modified

2024-02-17T05:31:46.930420Z

Severity

2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19

Details

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

https://vaadin.com/security/cve-2021-33604

Database specific

{
    "nvd_published_at": "2021-06-24T12:15:00Z",
    "cwe_ids": [
        "CWE-172"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-24T19:31:53Z"
}

References

Affected packages

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

14.6.2

Affected versions

14.*

14.0.0

14.0.1

14.0.2

14.0.3

14.0.4

14.0.5

14.0.6

14.0.7

14.0.8

14.0.9

14.0.10

14.0.11

14.0.12

14.0.13

14.0.14

14.0.15

14.1.0

14.1.1

14.1.2

14.1.3

14.1.4

14.1.5

14.1.16

14.1.17

14.1.18

14.1.19

14.1.20

14.1.21

14.1.22

14.1.23

14.1.24

14.1.25

14.1.26

14.1.27

14.1.28

14.2.0

14.2.1

14.2.2

14.2.3

14.3.0

14.3.1

14.3.2

14.3.3

14.3.4

14.3.5

14.3.6

14.3.7

14.3.8

14.3.9

14.4.0

14.4.1

14.4.2

14.4.3

14.4.4

14.4.5

14.4.6

14.4.7

14.4.8

14.4.9

14.4.10

14.5.0

14.5.1

14.5.2

14.5.3

14.5.4

14.5.5

14.6.0

14.6.1

Database specific

{
    "last_known_affected_version_range": "<= 14.6.1"
}

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0.0

Fixed

19.0.9

Affected versions

15.*

15.0.0

15.0.1

15.0.2

15.0.3

15.0.4

15.0.5

15.0.6

16.*

16.0.0

16.0.1

16.0.2

16.0.3

16.0.4

16.0.5

17.*

17.0.0

17.0.1

17.0.2

17.0.3

17.0.4

17.0.6

17.0.7

17.0.8

17.0.9

17.0.10

17.0.11

18.*

18.0.0

18.0.1

18.0.2

18.0.3

18.0.4

18.0.5

18.0.6

18.0.7

19.*

19.0.0

19.0.1

19.0.2

19.0.3

19.0.4

19.0.5

19.0.6

19.0.7

19.0.8

Database specific

{
    "last_known_affected_version_range": "<= 19.0.8"
}