Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
See CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version |
Mitigation |
| Vaadin Designer 4.3.0 - 4.6.3 |
Upgrade to 4.6.4 or newer version |