Package Instance

Exposure of Resource to Wrong Sphere
Improper sanitization of path in default `RouteNotFoundError` view allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Missing output sanitization in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.

- https://vaadin.com/security/cve-2019-25027

Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Vulnerability in OSGi integration in `com.vaadin:flow-server` versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

- https://vaadin.com/security/cve-2021-31407

Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20
Improper check in `CheckboxGroup` in `com.vaadin:vaadin-checkbox-flow` versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled `Checkbox` inside enabled `CheckboxGroup` component via unspecified vectors.

- https://vaadin.com/security/cve-2021-33605