Headline
GHSA-5f9v-mv5g-jh5q: Vaadin vulnerable to possible information disclosure in non visible components.
Description
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
- https://vaadin.com/security/cve-2023-25499
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-25499
Vaadin vulnerable to possible information disclosure in non visible components.
Moderate severity GitHub Reviewed Published Jun 22, 2023 in vaadin/platform • Updated Jun 22, 2023
Package
maven com.vaadin:flow-server (Maven)
Affected versions
>= 1.0.0, < 1.0.20
>= 1.1.0, < 2.8.10
>= 3.0.0, < 9.1.1
>= 23.0.0, < 23.3.11
>= 24.0.0, < 24.0.8
>= 24.1.0.alpha1, < 24.1.0
Patched versions
1.0.20
2.8.10
9.1.1
23.3.11
24.0.8
24.1.0
maven com.vaadin:vaadin (Maven)
>= 10.0.0, < 10.0.23
>= 11.0.0, < 14.10.1
>= 23.0.0, < 23.3.13
>= 24.0.0, < 24.0.6
>= 24.1.0.alpha1, < 24.1.0
10.0.23
14.10.1
23.3.13
24.0.6
24.1.0
Description
Published to the GitHub Advisory Database
Jun 22, 2023
Last updated
Jun 22, 2023
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Weaknesses
GHSA ID
GHSA-5f9v-mv5g-jh5q
Source code
Related news
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.