GHSA-q74r-4xw3-ppx9

Source

https://github.com/advisories/GHSA-q74r-4xw3-ppx9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-q74r-4xw3-ppx9/GHSA-q74r-4xw3-ppx9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q74r-4xw3-ppx9

Aliases

CVE-2019-25028

Published

2021-04-19T14:49:48Z

Modified

2023-11-08T04:01:32.613814Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Stored cross-site scripting in Grid component in Vaadin 7 and 8

Details

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.

https://vaadin.com/security/cve-2019-25028

Database specific

{
    "nvd_published_at": "2021-04-23T16:15:00Z",
    "github_reviewed_at": "2021-04-16T23:15:34Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ]
}

References

Affected packages

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Fixed

7.7.20

Affected versions

7.*

7.4.0

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

7.4.6

7.4.7

7.4.8

7.5.0.beta1

7.5.0.beta2

7.5.0.beta3

7.5.0.rc1

7.5.0.rc2

7.5.0

7.5.1

7.5.2

7.5.3

7.5.4

7.5.5

7.5.6

7.5.7

7.5.8

7.5.9

7.5.10

7.6.0.alpha1

7.6.0.alpha2

7.6.0

7.6.1

7.6.2

7.6.3

7.6.4

7.6.5

7.6.6

7.6.7

7.6.8

7.7.0

7.7.1

7.7.2

7.7.3

7.7.4

7.7.5

7.7.6

7.7.7

7.7.8

7.7.9

7.7.10

7.7.11

7.7.12

7.7.13

7.7.14

7.7.15

7.7.16

7.7.17

Maven / com.vaadin:vaadin-bom

Package

Name: com.vaadin:vaadin-bom; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-bom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.8.5

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.3.3

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0

8.5.1

8.5.2

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.7.0.beta1

8.7.0

8.7.1

8.7.2

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

Maven / com.vaadin:vaadin-server

Package

Name: com.vaadin:vaadin-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Fixed

7.7.20

Affected versions

7.*

7.4.0

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

7.4.6

7.4.7

7.4.8

7.5.0.alpha1

7.5.0.beta1

7.5.0.beta2

7.5.0.beta3

7.5.0.rc1

7.5.0.rc2

7.5.0

7.5.1

7.5.2

7.5.3

7.5.4

7.5.5

7.5.6

7.5.7

7.5.8

7.5.9

7.5.10

7.6.0.alpha1

7.6.0.alpha2

7.6.0

7.6.1

7.6.2

7.6.3

7.6.4

7.6.5

7.6.6

7.6.7

7.6.8

7.7.0

7.7.1

7.7.2

7.7.3

7.7.4

7.7.5

7.7.6

7.7.7

7.7.8

7.7.9

7.7.10

7.7.11

7.7.12

7.7.13

7.7.14

7.7.15

7.7.16

7.7.17

Maven / com.vaadin:vaadin-server

Package

Name: com.vaadin:vaadin-server; View open source insights on deps.dev
Purl: pkg:maven/com.vaadin/vaadin-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.8.5

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.3.3

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0

8.5.1

8.5.2

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.7.0.beta1

8.7.0

8.7.1

8.7.2

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4