Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility. In Vaadin 23 and newer, …
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.
Missing check in DataCommunicator class in com.vaadin:vaadin-server allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
Unsafe validation RegEx in EmailField component of com.vaadin:vaadin-text-field-flow allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
Improper URL validation in development mode handler in com.vaadin:flow-server allows attacker to request arbitrary files stored outside of intended frontend resources folder.
The Authentication.logout() helper in com.vaadin:flow-client uses an incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server allows attacker to guess a security token via timing attack
A non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server allows attackers to guess a security token via a timing attack.
A non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server, and com.vaadin:fusion-endpoint allows attacker to guess a security token for Fusion endpoints via timing attack.
Insecure configuration of default ObjectMapper in com.vaadin:flow-server may expose sensitive data if the application also uses @RestController
A vulnerability in the OSGi integration in com.vaadin:flow-server allows attackers to access application classes and resources on the server via crafted HTTP request.
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector