Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Package
Affected versions
>= 10.0.0, < 10.0.14
>= 11.0.0, < 13.0.6
Patched versions
10.0.14
13.0.6
Description
Reviewed
Apr 16, 2021
Published to the GitHub Advisory Database
Apr 19, 2021
Last updated
Jan 9, 2023
Missing output sanitization in default
RouteNotFoundErrorview incom.vaadin:flow-serverversions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.References