CVE-2021-33604

Summary

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Affected Software

VendorProductVersion RangeStatus
VaadinVaadin14.0.0 < unspecifiedaffected
VaadinVaadinunspecified <= 14.6.1affected
VaadinVaadin15.0.0 < unspecifiedaffected
VaadinVaadinunspecified <= 19.0.8affected
Vaadinflow-server2.0.0 < unspecifiedaffected
Vaadinflow-serverunspecified <= 2.6.1affected
Vaadinflow-server3.0.0 < unspecifiedaffected
Vaadinflow-serverunspecified <= 6.0.9affected

Weaknesses

  • CWE-172: CWE-172 Encoding Error

ADP Enrichment

CVE Program Container

Additional References

References