Reflected cross-site scripting in development mode handler in Vaadin

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

https://vaadin.com/security/cve-2021-33604

References

fluorumlabs published to vaadin/flow Jun 24, 2021

Reviewed Jun 24, 2021

Published to the GitHub Advisory Database Jun 28, 2021

Last updated Jan 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code