CVE-2018-25007

EUVD-2021-0842
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
VaadinCNA
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
vaadinflow
1.0.0 ≤
𝑥
< 1.0.6
vaadinvaadin
10.0.0 ≤
𝑥
< 10.0.8
vaadinvaadin
11.0.0 ≤
𝑥
< 11.0.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vaadin/flow/pull/4774
https://vaadin.com/security/cve-2018-25007
https://github.com/vaadin/flow/pull/4774
https://vaadin.com/security/cve-2018-25007