CVE-2021-33604
Last modified
CVE-2021-33604 is a low-severity vulnerability rated 2.5/10 on the CVSS scale. URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
Metrics
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vaadin | Flow-Server | >= 2.0.0, <= 2.6.1 |
| Vaadin | Flow-Server | >= 3.0.0, <= 5.0.0 |
| Vaadin | Flow-Server | >= 6.0.0, <= 6.0.9 |
| Vaadin | Vaadin | >= 14.0.0, <= 14.6.1 |
| Vaadin | Vaadin | >= 15.0.0, <= 18.0.0 |
| Vaadin | Vaadin | >= 19.0.0, <= 19.0.8 |
References
- https://github.com/vaadin/flow/pull/11099Patch, Third Party Advisory
- https://vaadin.com/security/cve-2021-33604Vendor Advisory
- https://github.com/vaadin/flow/pull/11099Patch, Third Party Advisory
- https://vaadin.com/security/cve-2021-33604Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-33604?
How severe is CVE-2021-33604?
How do I fix CVE-2021-33604?
Are you affected by CVE-2021-33604?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST