Encoding Error

CVE-2021-33604

Low

2.5/10

Summary

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

Attack Complexity: HIGH
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-172 - Encoding Error

The software does not properly encode or decode the data, resulting in unexpected values.

References

Advisory
Pull request
Advisory
Advisory

Advisory Timeline

Published Jun 24, 2021

Encoding Error

CVE-2021-33604

Summary

CWE-172 - Encoding Error

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS