CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-36319 – Potential sensitive data exposure in applications using Vaadin 15
https://notcve.org/view.php?id=CVE-2020-36319
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController Una configuración no segura del ObjectMapper predeterminado en com.vaadin:flow-server versiones 3.0.0 hasta 3.0.5 (Vaadin versiones 15.0.0 hasta 15.0.4), pueden exponer datos confidenciales si la aplicación también usa, por ejemplo, @RestController • https://github.com/vaadin/flow/pull/8016 https://github.com/vaadin/flow/pull/8051 https://vaadin.com/security/cve-2020-36319 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-25027 – Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
https://notcve.org/view.php?id=CVE-2019-25027
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL Una falta de un saneamiento de salida en la visualización predeterminada de la función RouteNotFoundError en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.10 (Vaadin versiones 10.0.0 hasta 10.0.13) y versiones 1.1.0 hasta 1.4.2 (Vaadin versiones 11.0.0 hasta 13.0. 5), permite al atacante ejecutar JavaScript malicioso por medio de una URL diseñada • https://github.com/vaadin/flow/pull/5498 https://vaadin.com/security/cve-2019-25027 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-81: Improper Neutralization of Script in an Error Message Web Page •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-25007 – Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
https://notcve.org/view.php?id=CVE-2018-25007
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message. Una falta de comprobación en el controlador de peticiones UIDL en com.vaadin:flow-server versiones 1.0.0 hasta 1.0.5 (Vaadin versiones 10.0.0 hasta 10.0.7 y versiones 11.0.0 hasta 11.0.2), permiten al atacante actualizar los valores de propiedad del elemento por medio de mensaje de sincronización • https://github.com/vaadin/flow/pull/4774 https://vaadin.com/security/cve-2018-25007 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2013-7082
https://notcve.org/view.php?id=CVE-2013-7082
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow (formerly FLOW3) 1.1.x before 1.1.1 and 2.0.x before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message. Vulnerabilidad de tipo cross-site scripting (XSS) en el método errorAction en la clase base ActionController en TYPO3 Flow (anteriormente FLOW3) versiones 1.1.x anteriores a 1.1.1 y versiones 2.0.x anteriores a 2.0.1, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio de una entrada no especificada, que es devuelta en un mensaje de error. • http://osvdb.org/100825 http://secunia.com/advisories/55996 http://typo3.org/teams/security/security-bulletins/typo3-flow/typo3-flow-sa-2013-001 https://exchange.xforce.ibmcloud.com/vulnerabilities/89614 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •