Moderate severityNVD Advisory· Published Nov 2, 2021· Updated Sep 17, 2024

Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14

CVE-2021-33611

Description

Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin 14.0.0 through 14.4.4) allows remote attackers to execute malicious JavaScript in browser by opening crafted URL

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.vaadin:vaadin-bomMaven	>= 14.0.0, < 14.4.5	14.4.5
org.webjars.bowergithub.vaadin:vaadin-menu-barMaven	>= 1.0.0, < 1.2.1	1.2.1

Affected products

Vaadin/Vaadinv5
Range: 14.0.0
Vaadin/vaadin-menu-barv5
Range: 1.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-93c4-vf86-3rj7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-33611ghsaADVISORY
github.com/vaadin/platform/security/advisories/GHSA-93c4-vf86-3rj7ghsaWEB
github.com/vaadin/vaadin-menu-bar/pull/126ghsax_refsource_CONFIRMWEB
vaadin.com/security/cve-2021-33611ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000