CVE-2021-33604

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Published: Jun 24, 2021
Updated: May 9, 2024
CVE: CVE-2021-33604
GHSA: GHSA-c99r-67x4-whj6
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 2.5
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 1.2
AV:L/AC:H/Au:N/C:P/I:N/A:N

CWEs:

CWE-172

Affected Software
References

Software	From	Fixed in
vaadin / vaadin	15.0.0	18.0.0.x
vaadin / vaadin	19.0.0	19.0.8.x
vaadin / vaadin	14.0.0	14.6.1.x
vaadin / flow-server	2.0.0	2.6.1.x
vaadin / flow-server	6.0.0	6.0.9.x
vaadin / flow-server	3.0.0	5.0.0.x
com.vaadin / vaadin-bom	14.0.0	14.6.2
com.vaadin / vaadin-bom	15.0.0	19.0.9

https://github.com/vaadin/flow/pull/11099
https://github.com/vaadin/platform/security/advisories/GHSA-c99r-67x4-whj6
https://vaadin.com/security/cve-2021-33604

Vulnerability Database

CVE-2021-33604

Deep Security Visibility Without the Complexity