3 results (0.011 seconds)

CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack La comparación non-constant-time de tokens CSRF en el controlador de peticiones UIDL en com.vaadin:vaadin-server versiones 7.0.0 hasta 7.7.23 (Vaadin versiones 7.0.0 hasta 7.7.23) y versiones 8.0.0 hasta 8.12.2 (Vaadin versiones 8.0.0 hasta 8.12.2), permite al atacante adivinar un token de seguridad por medio de un ataque de sincronización • https://github.com/vaadin/framework/pull/12188 https://github.com/vaadin/framework/pull/12190 https://vaadin.com/security/cve-2021-31403 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. Una comprobación no segura de RegEx en la clase EmailValidator en com.vaadin: vaadin-server versiones 7.0.0 hasta 7.7.21 (Vaadin versiones 7.0.0 hasta 7.7.21) permite a atacantes causar un consumo de recursos no controlado al enviar direcciones de correo electrónico maliciosas • https://github.com/vaadin/framework/issues/7757 https://github.com/vaadin/framework/pull/12104 https://vaadin.com/security/cve-2020-36320 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector Una falta de un saneamiento de variables en el componente Grid en com.vaadin:vaadin-server versiones 7.4.0 hasta 7.7.19 (Vaadin versiones 7.4.0 hasta 7.7.19) y versiones 8.0.0 hasta 8.8.4 (Vaadin versiones 8.0.0 hasta 8.8.4 ), permite al atacante inyectar JavaScript malicioso por medio de un vector no especificado • https://github.com/vaadin/framework/pull/11644 https://github.com/vaadin/framework/pull/11645 https://vaadin.com/security/cve-2019-25028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •