Improper URL sanitation with the frontend development server made it possible for attacker to gain access to a locally running Vaadin application in the browser by executing cross-site scripting from another web page the developer has opened. To exploit this vulnerability, the following is required:
There is an application running on the system with the frontend development server started and the application contains some sensitive data like a production data base clone;
The attacker is aware of application running on the developer’s system, what data it provides and the Vaadin version it is running on;
The developer opens an external site that executes the malicious script.
This vulnerability is not exploitable on deployed applications, but only for development time on developer’s machine.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Vaadin 14.0.0 - 14.6.1
Upgrade to 14.6.2 or newer 14 version
Vaadin 15 - 18
No longer supported. Upgrade to 19.0.9 or newer version
Vaadin 19.0.0 - 19.0.8
Upgrade to 19.0.9 or newer 19 version
Please note that Vaadin versions 15-18 are no longer supported and you should update either to the latest 19 version.