CVE-2023-25500
https://notcve.org/view.php?id=CVE-2023-25500
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. • https://github.com/vaadin/flow/pull/16935 https://vaadin.com/security/cve-2023-25500 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-25499 – Possible information disclosure in non visible components
https://notcve.org/view.php?id=CVE-2023-25499
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure. • https://github.com/vaadin/flow/pull/15885 https://vaadin.com/security/CVE-2023-25499 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-29567 – Possible information disclosure inside TreeGrid component with default data provider
https://notcve.org/view.php?id=CVE-2022-29567
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side. La configuración por defecto de un componente TreeGrid usa Object::toString como clave en la comunicación con el cliente y el servidor en Vaadin versiones 14.8.5 hasta 14.8.9, 22.0.6 hasta 22.0.14, 23.0.0.beta2 hasta 23.0.8 y 23.1.0.alpha1 hasta 23.1.0.alpha4, resultando en una potencial divulgación de información de valores que no deberían estar disponibles en el lado del cliente • https://github.com/vaadin/flow-components/pull/3046 https://vaadin.com/security/cve-2022-29567 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-33611 – Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14
https://notcve.org/view.php?id=CVE-2021-33611
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL Una falta de saneo de la salida en las fuentes de prueba en org.webjars.bowergithub.vaadin:vaadin-menu-bar versiones 1.0.0 hasta 1.2.0 (Vaadin versiones 14.0.0 hasta 14.4.4), permite a atacantes remotos ejecutar JavaScript malicioso en el navegador al abrir una URL diseñada • https://github.com/vaadin/vaadin-menu-bar/pull/126 https://vaadin.com/security/cve-2021-33611 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-33605 – Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20
https://notcve.org/view.php?id=CVE-2021-33605
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors. Una comprobación inapropiada en CheckboxGroup en las versiones: com.vaadin:vaadin-checkbox-flow 1.2.0 anterior a 2.0.0 (Vaadin 12.0.0 anterior a 14.0.0), 2.0.0 anterior a 3.0.0 (Vaadin 14.0.0 anterior a 14.5.0), 3.0.0 hasta 4.0.1 (Vaadin 15.0.0 hasta 17.0. 11), 14.5.0 hasta 14.6.7 (Vaadin 14.5.0 hasta 14.6.7), y 18.0.0 hasta 20.0.5 (Vaadin 18.0.0 hasta 20.0.5) permite a atacantes modificar el valor de un Checkbox deshabilitado dentro de un componente CheckboxGroup habilitado por medio de vectores no especificados. • https://github.com/vaadin/flow-components/pull/1903 https://vaadin.com/security/cve-2021-33605 • CWE-754: Improper Check for Unusual or Exceptional Conditions •