URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
See CWE-172: Encoding Error
Description
Improper URL sanitation with the frontend development server made it possible for attacker to gain access to a locally running Vaadin application in the browser by executing cross-site scripting from another web page the developer has opened. To exploit this vulnerability, the following is required:
- There is an application running on the system with the frontend development server started and the application contains some sensitive data like a production data base clone;
- The attacker is aware of application running on the developer’s system, what data it provides and the Vaadin version it is running on;
- The developer opens an external site that executes the malicious script.
This vulnerability is not exploitable on deployed applications, but only for development time on developer’s machine.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version |
Mitigation |
| Vaadin 14.0.0 - 14.6.1 |
Upgrade to 14.6.2 or newer 14 version |
| Vaadin 15 - 18 |
No longer supported. Upgrade to 19.0.9 or newer version |
| Vaadin 19.0.0 - 19.0.8 |
Upgrade to 19.0.9 or newer 19 version |
Please note that Vaadin versions 15-18 are no longer supported and you should update either to the latest 19 version.
Artifacts
| Maven coordinates |
Vulnerable version |
Fixed version |
| com.vaadin:flow-server |
2.0.0 - 2.6.1 |
≥ 2.6.2 |
| com.vaadin:flow-server |
3.0 - 5.0 |
N/A |
| com.vaadin:flow-server |
6.0.0 - 6.0.9 |
≥ 6.0.10 |
References