GHSA-jqj4-r483-4gvr

Suggest an improvement
Source
https://github.com/advisories/GHSA-jqj4-r483-4gvr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-jqj4-r483-4gvr/GHSA-jqj4-r483-4gvr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jqj4-r483-4gvr
Published
2021-04-19T14:48:51Z
Modified
2023-04-11T01:38:52.700903Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Details

Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.

  • https://vaadin.com/security/cve-2019-25027
References

Affected packages

Maven / com.vaadin:vaadin-bom

Package

Name
com.vaadin:vaadin-bom
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.14

Affected versions

10.*

10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
10.0.10
10.0.11
10.0.12
10.0.13

Maven / com.vaadin:vaadin-bom

Package

Name
com.vaadin:vaadin-bom
View open source insights on deps.dev
Purl
pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
13.0.6

Affected versions

11.*

11.0.0
11.0.1
11.0.2
11.0.3
11.0.4

12.*

12.0.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7

13.*

13.0.0
13.0.1
13.0.2
13.0.3
13.0.4
13.0.5