Home

CVE-2025-15022

Description

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.Vaadin 14 is not affected as Spreadsheet component was not supported.Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:Product versionVaadin 7.0.0 - 7.7.49Vaadin 8.0.0 - 8.29.1Vaadin 23.1.0 - 23.6.5Vaadin 24.0.0 - 24.8.13Vaadin 24.9.0 - 24.9.6MitigationUpgrade to 7.7.50Upgrade to 8.30.0Upgrade to 23.6.6Upgrade to 24.8.14 or 24.9.7Upgrade to 25.0.0 or newerArtifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server7.0.0 - 7.7.497.7.50com.vaadin:vaadin-server8.0.0 - 8.29.18.30.0com.vaadin:vaadin23.1.0 - 23.6.523.6.6com.vaadin:vaadin24.0.0 - 24.8.1324.8.14com.vaadin:vaadin24.9.0 - 24.9.624.9.7com.vaadin:vaadin-spreadsheet-flow23.1.0 - 23.6.523.6.6com.vaadin:vaadin-spreadsheet-flow24.0.0 - 24.8.1324.8.14com.vaadin:vaadin-spreadsheet-flow24.9.0 - 24.9.624.9.7

Risk Information

Base Score
8.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
EPSS Score
Exploitation Probability
0.023

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin-server 7.7.50Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin-server 8.30.0Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin 23.6.6Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin 24.8.14Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin 24.9.7Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin - vaadin-spreadsheet-flow 23.6.6Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin - vaadin-spreadsheet-flow 24.8.14Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin - vaadin-spreadsheet-flow 24.9.7Windows
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin-server for Linux 7.7.50Linux
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin-server for Linux 8.30.0Linux
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin for Linux 23.6.6Linux
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin for Linux 24.8.14Linux
Vulnerabilities CVE-2025-15022 are fixed in Vaadin-vaadin for Linux 24.9.7Linux
Vulnerabilities CVE-2025-15022 are fixed in Vaadin - vaadin-spreadsheet-flow for Linux 23.6.6Linux
Vulnerabilities CVE-2025-15022 are fixed in Vaadin - vaadin-spreadsheet-flow for Linux 24.8.14Linux
Vulnerabilities CVE-2025-15022 are fixed in Vaadin - vaadin-spreadsheet-flow for Linux 24.9.7Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234