Cross-site scripting in Action caption
Severity:
Medium (Base score 5.1) CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVE entry:
Overview
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.
See CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
Description
In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.
In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.
Vaadin 14 is not affected as the Spreadsheet component was not supported.
Affected products and mitigation
Users of affected versions should upgrade to a fixed version.
| Product version | Mitigation |
|---|---|
|
Vaadin 7.0.0 - 7.7.49
|
Upgrade to 7.7.50
|
|
Vaadin 8.0.0 - 8.29.1
|
Upgrade to 8.30.0
|
|
Vaadin 23.1.0 - 23.6.5
|
Upgrade to 23.6.6
|
|
Vaadin 24.0.0 - 24.8.13
|
Upgrade to 24.8.14
|
|
Vaadin 24.9.0 - 24.9.6
|
Upgrade to 24.9.7
|
Alternatively, upgrade to Vaadin 25.0.0 or newer.
Workaround: Ensure that Action captions are not derived from untrusted user input, or manually sanitize any user-provided content before using it as an Action caption.
Artifacts
| Maven coordinates | Vulnerable version | Fixed version |
|---|---|---|
| com.vaadin:vaadin-server | 7.0.0 - 7.7.49 | ≥7.7.50 |
| com.vaadin:vaadin-server | 8.0.0 - 8.29.1 | ≥8.30.0 |
| com.vaadin:vaadin |
23.1.0 - 23.6.5
|
≥23.6.6 |
| com.vaadin:vaadin |
24.0.0 - 24.8.13
|
≥24.8.14 |
| com.vaadin:vaadin |
24.9.0 - 24.9.6
|
≥24.9.7 |
|
com.vaadin:vaadin-spreadsheet-flow
|
23.1.0 - 23.6.5
|
≥23.6.6 |
|
com.vaadin:vaadin-spreadsheet-flow
|
24.0.0 - 24.8.13
|
≥24.8.14 |
|
com.vaadin:vaadin-spreadsheet-flow
|
24.9.0 - 24.9.6
|
≥24.9.7 |
References
- https://github.com/vaadin/flow-components/pull/8285
History
- 2026-01-05: Initial vulnerability report published