CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33609 – Denial of service in DataCommunicator class in Vaadin 8
https://notcve.org/view.php?id=CVE-2021-33609
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. Una falta de comprobación en la clase DataCommunicator en com.vaadin:vaadin-server versiones 8.0.0 hasta 8.14.0 (Vaadin 8.0.0 hasta 8.14.0) permite a un atacante de red autenticado causar el agotamiento de la pila al solicitar demasiadas filas de datos • https://github.com/vaadin/framework/pull/12415 https://vaadin.com/security/cve-2021-33609 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31409 – Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19
https://notcve.org/view.php?id=CVE-2021-31409
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. Una comprobación no segura RegEx en el componente EmailValidator en com.vaadin:vaadin-compatibility-server versiones 8.0.0 hasta 8.12.4, (Vaadin versiones 8.0.0 hasta 8.12.4) permite a atacantes causar un consumo de recursos no controlado mediante el envío de direcciones de correo electrónico maliciosas • https://github.com/vaadin/framework/issues/12240 https://github.com/vaadin/framework/pull/12241 https://vaadin.com/security/cve-2021-31409 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-31403 – Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
https://notcve.org/view.php?id=CVE-2021-31403
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack La comparación non-constant-time de tokens CSRF en el controlador de peticiones UIDL en com.vaadin:vaadin-server versiones 7.0.0 hasta 7.7.23 (Vaadin versiones 7.0.0 hasta 7.7.23) y versiones 8.0.0 hasta 8.12.2 (Vaadin versiones 8.0.0 hasta 8.12.2), permite al atacante adivinar un token de seguridad por medio de un ataque de sincronización • https://github.com/vaadin/framework/pull/12188 https://github.com/vaadin/framework/pull/12190 https://vaadin.com/security/cve-2021-31403 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-25028 – Stored cross-site scripting in Grid component in Vaadin 7 and 8
https://notcve.org/view.php?id=CVE-2019-25028
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector Una falta de un saneamiento de variables en el componente Grid en com.vaadin:vaadin-server versiones 7.4.0 hasta 7.7.19 (Vaadin versiones 7.4.0 hasta 7.7.19) y versiones 8.0.0 hasta 8.8.4 (Vaadin versiones 8.0.0 hasta 8.8.4 ), permite al atacante inyectar JavaScript malicioso por medio de un vector no especificado • https://github.com/vaadin/framework/pull/11644 https://github.com/vaadin/framework/pull/11645 https://vaadin.com/security/cve-2019-25028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •