Moderate severityNVD Advisory· Published Jun 22, 2023· Updated Dec 5, 2024

Possible information disclosure in non visible components

CVE-2023-25499

Description

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.vaadin:vaadinMaven	>= 10.0.0, < 10.0.23	10.0.23
com.vaadin:vaadinMaven	>= 11.0.0, < 14.10.1	14.10.1
com.vaadin:vaadinMaven	>= 23.0.0, < 23.3.13	23.3.13
com.vaadin:vaadinMaven	>= 24.0.0, < 24.0.6	24.0.6
com.vaadin:vaadinMaven	>= 24.1.0.alpha1, < 24.1.0	24.1.0
com.vaadin:flow-serverMaven	>= 1.0.0, < 1.0.20	1.0.20
com.vaadin:flow-serverMaven	>= 1.1.0, < 2.8.10	2.8.10
com.vaadin:flow-serverMaven	>= 3.0.0, < 9.1.1	9.1.1
com.vaadin:flow-serverMaven	>= 23.0.0, < 23.3.11	23.3.11
com.vaadin:flow-serverMaven	>= 24.0.0, < 24.0.8	24.0.8
com.vaadin:flow-serverMaven	>= 24.1.0.alpha1, < 24.1.0	24.1.0

Affected products

Vaadin/Vaadinv5
Range: 10.0.0
vaadin/flow-serverv5
Range: 1.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5f9v-mv5g-jh5qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-25499ghsaADVISORY
github.com/vaadin/flow/pull/15885ghsaWEB
github.com/vaadin/platform/security/advisories/GHSA-5f9v-mv5g-jh5qghsaWEB
vaadin.com/security/CVE-2023-25499ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000