CVE-2018-25007

LOW

Vaadin Flow 1.0.0-1.0.5 - Unauthenticated Element Property Update via UIDL Request Handler

Title source: llm
STIX 2.1

Description

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://vaadin.com/security/cve-2018-25007
Patch, Third Party Advisory x_refsource_misc
https://github.com/vaadin/flow/pull/4774

Scores

CVSS v3 2.6
EPSS 0.0057
EPSS Percentile 42.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Details

CWE
CWE-754
Status published
Products (3)
com.vaadin/flow-server 1.0.0 - 1.0.6Maven
vaadin/flow 1.0.0 - 1.0.6
vaadin/vaadin 10.0.0 - 10.0.8
Published Apr 23, 2021
Tracked Since Feb 18, 2026