All vulnerability reports

Stored cross-site scripting in Grid component in Vaadin 7 and 8

Severity:
Medium (Base score 5.4) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Overview

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.

See CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Description

Due to missing variable sanitation, the Grid Header Caption could be used to store malicious data and execute unwanted JavaScript in a user's browser e.g. when untrusted users are allowed to add new grid columns that are shown to other users.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 7.0.0 - 7.7.19 Upgrade to 7.7.20 or newer 7 version (Vaadin 7 extended maintenance)
Vaadin 8.0.0 - 8.8.4 Upgrade to 8.8.5 or newer 8 version

Please note that updating to Vaadin 7 is only available to extended-support customers.

Artifacts

Maven coordinates Vulnerable version Fixed version
com.vaadin:vaadin-server 7.4.0 - 7.7.19 ≥ 7.7.20
com.vaadin:vaadin-server 8.0.0 - 8.8.4 ≥ 8.8.5

Credit

This issue was discovered and responsibly reported by MATE Marketing Technologie.

References

History

2019-07-04: Initial vulnerability report published