CVE-2021-31403 – Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
https://notcve.org/view.php?id=CVE-2021-31403
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack La comparación non-constant-time de tokens CSRF en el controlador de peticiones UIDL en com.vaadin:vaadin-server versiones 7.0.0 hasta 7.7.23 (Vaadin versiones 7.0.0 hasta 7.7.23) y versiones 8.0.0 hasta 8.12.2 (Vaadin versiones 8.0.0 hasta 8.12.2), permite al atacante adivinar un token de seguridad por medio de un ataque de sincronización • https://github.com/vaadin/framework/pull/12188 https://github.com/vaadin/framework/pull/12190 https://vaadin.com/security/cve-2021-31403 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVE-2020-36320 – Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7
https://notcve.org/view.php?id=CVE-2020-36320
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. Una comprobación no segura de RegEx en la clase EmailValidator en com.vaadin: vaadin-server versiones 7.0.0 hasta 7.7.21 (Vaadin versiones 7.0.0 hasta 7.7.21) permite a atacantes causar un consumo de recursos no controlado al enviar direcciones de correo electrónico maliciosas • https://github.com/vaadin/framework/issues/7757 https://github.com/vaadin/framework/pull/12104 https://vaadin.com/security/cve-2020-36320 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-25028 – Stored cross-site scripting in Grid component in Vaadin 7 and 8
https://notcve.org/view.php?id=CVE-2019-25028
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector Una falta de un saneamiento de variables en el componente Grid en com.vaadin:vaadin-server versiones 7.4.0 hasta 7.7.19 (Vaadin versiones 7.4.0 hasta 7.7.19) y versiones 8.0.0 hasta 8.8.4 (Vaadin versiones 8.0.0 hasta 8.8.4 ), permite al atacante inyectar JavaScript malicioso por medio de un vector no especificado • https://github.com/vaadin/framework/pull/11644 https://github.com/vaadin/framework/pull/11645 https://vaadin.com/security/cve-2019-25028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •