CVE-2019-25028

Description

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector

Affected Software
References

Software	From	Fixed in
vaadin / vaadin	7.4.0	7.7.20
vaadin / vaadin	8.0.0	8.8.5
com.vaadin / vaadin-bom	7.4.0	7.7.20
com.vaadin / vaadin-bom	8.0.0	8.8.5
com.vaadin / vaadin-server	7.4.0	7.7.20
com.vaadin / vaadin-server	8.0.0	8.8.5

https://github.com/vaadin/framework/pull/11644
https://github.com/vaadin/framework/pull/11645
https://github.com/vaadin/framework/security/advisories/GHSA-q74r-4xw3-ppx9
https://vaadin.com/security/cve-2019-25028

Severity: Medium

CVE: CVE-2019-25028
GHSA: GHSA-q74r-4xw3-ppx9
Published: Apr 23, 2021
Updated: May 9, 2024
Exploit:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79
CWE-80

A7 - Cross-Site Scripting (XSS)

CVE-2019-25028

Description

Details

CVSS v3

CVSS v2

CWEs

OWASP TOP 10