Home

CVE-2021-33604

Description

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Risk Information

Base Score
2.5
MODERATE
Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.054

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-33604,CVE-2021-31412 are fixed in Vaadin - vaadin-bom 14.6.2Windows
Vulnerabilities CVE-2021-33604,CVE-2021-31412 are fixed in Vaadin - vaadin-bom 19.0.9Windows
Vulnerabilities CVE-2021-33604,CVE-2021-31412 are fixed in Vaadin - vaadin-bom for Linux 14.6.2Linux
Vulnerabilities CVE-2021-33604,CVE-2021-31412 are fixed in Vaadin - vaadin-bom for Linux 19.0.9Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234