Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 up to and including 1.0.14 (Vaadin 10.0.0 up to and including 10.0.18), 1.1.0 before 2.0.0 (Vaadin 11 before 14), 2.0.0 up to and including 2.6.1 (Vaadin 14.0.0 up to and including 14.6.1), and 3.0.0 up to and including 6.0.9 (Vaadin 15.0.0 up to and including 19.0.8) allows network malicious user to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vaadin flow |
||
vaadin vaadin |