Cross-Site Scripting (XSS) vulnerability in com.vaadin:flow-server versions 1.0.0 through 1.0.10 and 1.1.0 through 1.4.2

Cross-Site Scripting (XSS) vulnerability in com.vaadin:flow-server versions 1.0.0 through 1.0.10 and 1.1.0 through 1.4.2

CVE-2019-25027 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL

Learn more about our Cis Benchmark Audit For Server Software.