Vulnerability Description
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vaadin | Vaadin | >= 7.4.0, < 7.7.20 |
Related Weaknesses (CWE)
References
- https://github.com/vaadin/framework/pull/11644PatchThird Party Advisory
- https://github.com/vaadin/framework/pull/11645PatchThird Party Advisory
- https://vaadin.com/security/cve-2019-25028Vendor Advisory
- https://github.com/vaadin/framework/pull/11644PatchThird Party Advisory
- https://github.com/vaadin/framework/pull/11645PatchThird Party Advisory
- https://vaadin.com/security/cve-2019-25028Vendor Advisory
FAQ
What is CVE-2019-25028?
CVE-2019-25028 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows att...
How severe is CVE-2019-25028?
CVE-2019-25028 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-25028?
Check the references section above for vendor advisories and patch information. Affected products include: Vaadin Vaadin.