Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.
See CWE-81: Improper Neutralization of Script in an Error Message Web Page
Description
Due to missing output sanitization, the default RouteNotFoundError view could be used to execute unwanted JavaScript in a user's browser if the user opens a specially crafted URL.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version |
Mitigation |
| Vaadin 10.0.0 - 10.0.13 |
Upgrade to 10.0.14 or newer 10 version |
| Vaadin 11 - 12 |
No longer supported. Upgrade to 13.0.6 or newer version |
| Vaadin 13.0.0 - 13.0.5 |
Upgrate to 13.0.6 or newer version |
Please note that Vaadin versions 11-13 and 15-17 are no longer supported and you should update either to the latest 14 or 18 version respectively. Also, updating to Vaadin 7 is only available to extended-support customers.
Artifacts
| Maven coordinates |
Vulnerable version |
Fixed version |
| com.vaadin:flow-server |
1.0.0 - 1.0.10 |
≥ 1.0.11 |
| com.vaadin:flow-server |
1.1 - 1.3 |
N/A |
| com.vaadin:flow-server |
1.4.0 - 1.4.2 |
≥ 1.4.3 |
References