Low severityNVD Advisory· Published Apr 23, 2021· Updated Sep 16, 2024
Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
CVE-2018-25007
Description
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.vaadin:flow-serverMaven | >= 1.0.0, < 1.0.6 | 1.0.6 |
Affected products
2- Vaadin/flow-serverv5Range: 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jmx8-355m-8vwhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25007ghsaADVISORY
- github.com/vaadin/flow/pull/4774ghsax_refsource_MISCWEB
- github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwhghsaWEB
- vaadin.com/security/cve-2018-25007ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.