Vulnerabilities > Vaadin

DATE CVE VULNERABILITY TITLE RISK
2021-04-23 CVE-2021-31410 Exposure of Resource to Wrong Sphere vulnerability in Vaadin Designer
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
network
low complexity
vaadin CWE-668
7.5
2021-04-23 CVE-2021-31408 Insufficient Session Expiration vulnerability in Vaadin Flow and Vaadin
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
local
low complexity
vaadin CWE-613
7.1
2021-04-23 CVE-2021-31403 Information Exposure Through Discrepancy vulnerability in Vaadin
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack
local
high complexity
vaadin CWE-203
2.5
2021-04-23 CVE-2021-31404 Information Exposure Through Discrepancy vulnerability in Vaadin Flow
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 through 14.4.6), 3.0.0 prior to 5.0.0 (Vaadin 15 prior to 18), and 5.0.0 through 5.0.2 (Vaadin 18.0.0 through 18.0.5) allows attacker to guess a security token via timing attack.
local
high complexity
vaadin CWE-203
2.5
2021-04-23 CVE-2021-31406 Information Exposure Through Discrepancy vulnerability in Vaadin
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to guess a security token for Fusion endpoints via timing attack.
local
high complexity
vaadin CWE-203
2.5
2021-04-23 CVE-2019-25027 Cross-site Scripting vulnerability in Vaadin Flow
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL
network
low complexity
vaadin CWE-79
6.1
2021-04-23 CVE-2021-31407 Exposure of Resource to Wrong Sphere vulnerability in Vaadin Flow
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
network
low complexity
vaadin CWE-668
7.5
2021-04-23 CVE-2018-25007 Improper Check for Unusual or Exceptional Conditions vulnerability in Vaadin Flow and Vaadin
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
network
low complexity
vaadin CWE-754
4.3
2021-04-23 CVE-2021-31405 Resource Exhaustion vulnerability in Vaadin Flow
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
network
low complexity
vaadin CWE-400
7.5
2021-04-23 CVE-2020-36321 Path Traversal vulnerability in Vaadin Flow
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outside of intended frontend resources folder.
network
low complexity
vaadin CWE-22
7.5