Moderate severityNVD Advisory· Published Apr 23, 2021· Updated Sep 16, 2024
Stored cross-site scripting in Grid component in Vaadin 7 and 8
CVE-2019-25028
Description
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.vaadin:vaadin-bomMaven | >= 7.4.0, < 7.7.20 | 7.7.20 |
com.vaadin:vaadin-bomMaven | >= 8.0.0, < 8.8.5 | 8.8.5 |
com.vaadin:vaadin-serverMaven | >= 7.4.0, < 7.7.20 | 7.7.20 |
com.vaadin:vaadin-serverMaven | >= 8.0.0, < 8.8.5 | 8.8.5 |
Affected products
2- Vaadin/vaadin-serverv5Range: 7.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-q74r-4xw3-ppx9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-25028ghsaADVISORY
- github.com/vaadin/framework/pull/11644ghsax_refsource_MISCWEB
- github.com/vaadin/framework/pull/11645ghsax_refsource_MISCWEB
- github.com/vaadin/framework/security/advisories/GHSA-q74r-4xw3-ppx9ghsaWEB
- vaadin.com/security/cve-2019-25028ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.