Vaadin 7 security issues, solved in vaadin 8 compatibility server ?

Hi,
We’ve certain customer done a security scan on our Vaadin 7 application and raised security issues, report is attached.
We have a plan to migrate to Vaadin 8 compatibility server. The question is: Will the security issues be fixed after this migration to vaadin 8 compatibility server ? In case the answer is no, please to specify if such issues are solved in vaadin 8 (pure vaadin 8 server), or vaadin 10 or vaadin 11 or vaadin 12.

Kind Regards.
17441479.htm (48.9 KB)

That report looks like it’s generated by an automated tool. In general, findings from such tools do not represent actual security issues, but rather things that someone with knowledge of web security issues should look into and interpret based on the context of that particular application.

In this case, I don’t see anything that would warrant a fix in any version of Vaadin. I expect very similar results regardless of which Vaadin version the application would be based on, so updating to e.g. Vaadin 8 or Vaadin 12 would not make a big difference. There’s the potential for a small defense-in-depth fix that we have been considering, but otherwise the things specific to Vaadin seem to be harmless based the details mentioned in the report.

Some of the issues also seem to be unrelated to Vaadin itself, but rather related to how the server is set up or what your own application code does. I would in particular recommend that you have a look into the secure parameter for session cookies.