CVSS: 4.3EPSS: 0%CPEs: 16EXPL: 0CVE-2023-25500
https://notcve.org/view.php?id=CVE-2023-25500
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. • https://github.com/vaadin/flow/pull/16935 https://vaadin.com/security/cve-2023-25500 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2023-25499 – Possible information disclosure in non visible components
https://notcve.org/view.php?id=CVE-2023-25499
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure. • https://github.com/vaadin/flow/pull/15885 https://vaadin.com/security/CVE-2023-25499 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-29567 – Possible information disclosure inside TreeGrid component with default data provider
https://notcve.org/view.php?id=CVE-2022-29567
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side. La configuración por defecto de un componente TreeGrid usa Object::toString como clave en la comunicación con el cliente y el servidor en Vaadin versiones 14.8.5 hasta 14.8.9, 22.0.6 hasta 22.0.14, 23.0.0.beta2 hasta 23.0.8 y 23.1.0.alpha1 hasta 23.1.0.alpha4, resultando en una potencial divulgación de información de valores que no deberían estar disponibles en el lado del cliente • https://github.com/vaadin/flow-components/pull/3046 https://vaadin.com/security/cve-2022-29567 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33611 – Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14
https://notcve.org/view.php?id=CVE-2021-33611
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL Una falta de saneo de la salida en las fuentes de prueba en org.webjars.bowergithub.vaadin:vaadin-menu-bar versiones 1.0.0 hasta 1.2.0 (Vaadin versiones 14.0.0 hasta 14.4.4), permite a atacantes remotos ejecutar JavaScript malicioso en el navegador al abrir una URL diseñada • https://github.com/vaadin/vaadin-menu-bar/pull/126 https://vaadin.com/security/cve-2021-33611 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33609 – Denial of service in DataCommunicator class in Vaadin 8
https://notcve.org/view.php?id=CVE-2021-33609
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. Una falta de comprobación en la clase DataCommunicator en com.vaadin:vaadin-server versiones 8.0.0 hasta 8.14.0 (Vaadin 8.0.0 hasta 8.14.0) permite a un atacante de red autenticado causar el agotamiento de la pila al solicitar demasiadas filas de datos • https://github.com/vaadin/framework/pull/12415 https://vaadin.com/security/cve-2021-33609 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •