Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
Description
Reviewed
Apr 16, 2021
Published to the GitHub Advisory Database
Apr 19, 2021
Published by the National Vulnerability Database
Apr 23, 2021
Last updated
Feb 1, 2023
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
References