Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.
See CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Description
Due to missing variable sanitation, the Grid Header Caption could be used to store malicious data and execute unwanted JavaScript in a user's browser e.g. when untrusted users are allowed to add new grid columns that are shown to other users.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version |
Mitigation |
| Vaadin 7.0.0 - 7.7.19 |
Upgrade to 7.7.20 or newer 7 version (Vaadin 7 extended maintenance) |
| Vaadin 8.0.0 - 8.8.4 |
Upgrade to 8.8.5 or newer 8 version |
Please note that updating to Vaadin 7 is only available to extended-support customers.
Artifacts
| Maven coordinates |
Vulnerable version |
Fixed version |
| com.vaadin:vaadin-server |
7.4.0 - 7.7.19 |
≥ 7.7.20 |
| com.vaadin:vaadin-server |
8.0.0 - 8.8.4 |
≥ 8.8.5 |
Credit
This issue was discovered and responsibly reported by MATE Marketing Technologie.
References