CVE-2018-25007

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
VaadinCNA
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
vaadinflow
1.0.0 ≤
𝑥
< 1.0.6
vaadinvaadin
10.0.0 ≤
𝑥
< 10.0.8
vaadinvaadin
11.0.0 ≤
𝑥
< 11.0.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vaadin/flow/pull/4774
https://vaadin.com/security/cve-2018-25007
https://github.com/vaadin/flow/pull/4774
https://vaadin.com/security/cve-2018-25007