CVE-2019-25028

描述

Missing variable sanitization in `Grid` component in `com.vaadin:vaadin-server` versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector. - https://vaadin.com/security/cve-2019-25028

受影響套件(2)

• Maven/com.vaadin:vaadin-bom>= 7.4.0, < 7.7.20
• Maven/com.vaadin:vaadin-server>= 7.4.0, < 7.7.20

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-25028
• WEBhttps://github.com/vaadin/framework/pull/11644
• WEBhttps://github.com/vaadin/framework/pull/11645
• WEBhttps://github.com/vaadin/framework/security/advisories/GHSA-q74r-4xw3-ppx9
• WEBhttps://vaadin.com/security/cve-2019-25028