Low severityNVD Advisory· Published Apr 23, 2021· Updated Sep 16, 2024
Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
CVE-2018-25007
Description
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.vaadin:flow-serverMaven | >= 1.0.0, < 1.0.6 | 1.0.6 |
Affected products
3- Range: 1.0.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jmx8-355m-8vwhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25007ghsaADVISORY
- github.com/vaadin/flow/pull/4774ghsax_refsource_MISCWEB
- github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwhghsaWEB
- vaadin.com/security/cve-2018-25007ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.