CVE-2023-25499

When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
VaadinCNA
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
vaadinvaadin
10.0.0 ≤
𝑥
< 10.0.23
vaadinvaadin
11.0.0 ≤
𝑥
< 14.10.1
vaadinvaadin
15.0.0 ≤
𝑥
≤ 22.0.28
vaadinvaadin
23.0.0 ≤
𝑥
< 23.3.13
vaadinvaadin
24.0.0 ≤
𝑥
< 24.0.6
vaadinvaadin
24.1.0:alpha1
vaadinvaadin
24.1.0:alpha2
vaadinvaadin
24.1.0:alpha3
vaadinvaadin
24.1.0:alpha4
vaadinvaadin
24.1.0:alpha5
vaadinvaadin
24.1.0:alpha6
vaadinvaadin
24.1.0:beta1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vaadin/flow/pull/15885
https://vaadin.com/security/CVE-2023-25499
https://github.com/vaadin/flow/pull/15885
https://vaadin.com/security/CVE-2023-25499