URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 up to and including 2.6.1 (Vaadin 14.0.0 up to and including 14.6.1), 3.0.0 up to and including 6.0.9 (Vaadin 15.0.0 up to and including 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
vaadin flow-server |
||
vaadin vaadin |