Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and Vaadin 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
Server-side element property values can be updated from the client in unexpected situations. This would allow the element property value to be updated from the client with a fake synchronization message to the server, affecting logic that reads element property values and expects those to be immutable from the client side.
The server-side value was updated only in cases where client filter was not set, meaning that read-only and disabled element property updates were blocked and not affected by this issue.
Another case where updates were not blocked was when template model had beans in a list; the properties of the beans could be updated when not desired. Any other updates for the template model were not affected by this issue.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: