Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
CVE-2018-25007

2.6LOW

Key Information:

Vendor: Vaadin
Status: Vaadin; Flow-server
Vendor: CVE Published:; 23 April 2021

What is CVE-2018-25007?

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

flow-server 1.0.0

Vaadin 10.0.0

References

https://vaadin.com/security/cve-2018-25007

x_refsource_MISC

https://github.com/vaadin/flow/pull/4774

x_refsource_MISC

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 23, 2021
Vulnerability Reserved
Apr 13, 2021

JSON

Vaadin