All vulnerability reports

Stored cross-site scripting in Grid component in Vaadin 7 and 8

Medium (Base score 5.4) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CVE entry:


Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.

See CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)


Due to missing variable sanitation, the Grid Header Caption could be used to store malicious data and execute unwanted JavaScript in a user's browser e.g. when untrusted users are allowed to add new grid columns that are shown to other users.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 7.0.0 - 7.7.19 Upgrade to 7.7.20 or newer 7 version (Vaadin 7 extended maintenance)
Vaadin 8.0.0 - 8.8.4 Upgrade to 8.8.5 or newer 8 version

Please note that updating to Vaadin 7 is only available to extended-support customers.


Maven coordinates Vulnerable version Fixed version
com.vaadin:vaadin-server 7.4.0 - 7.7.19 ≥ 7.7.20
com.vaadin:vaadin-server 8.0.0 - 8.8.4 ≥ 8.8.5


This issue was discovered and responsibly reported by MATE Marketing Technologie.



  • 2019-07-04: Initial vulnerability report published