Reflected cross-site scripting in development mode handler in Vaadin
Package
Affected versions
>= 2.0.0, <= 2.6.1
>= 3.0.0, <= 6.0.9
Patched versions
2.6.2
6.0.10
Description
Reviewed
Jun 24, 2021
Published to the GitHub Advisory Database
Jun 28, 2021
Last updated
Jan 9, 2023
URL encoding error in development mode handler in
com.vaadin:flow-server
versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.References