Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19
CVE-2021-33604

2.5LOW

Key Information:

Vendor: Vaadin
Status: Vaadin; Flow-server
Vendor: CVE Published:; 24 June 2021

What is CVE-2021-33604?

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

flow-server 2.0.0

flow-server <= 2.6.1

flow-server 3.0.0

References

https://vaadin.com/security/cve-2021-33604

x_refsource_CONFIRM

https://github.com/vaadin/flow/pull/11099

x_refsource_CONFIRM

CVSS V3.1

Score:

2.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 24, 2021
Vulnerability Reserved
May 27, 2021

JSON

Vaadin