CVE-2023-25499
Vaadin vulnerable to possible information disclosure in non visible components.
5.7
MEDIUM
CVSS 3.1
EPSS 0.24%
Description
### Description When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure. * https://vaadin.com/security/cve-2023-25499
How to fix CVE-2023-25499
To remediate CVE-2023-25499, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.20 or later
- —upgrade to 10.0.23 or later
Is CVE-2023-25499 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 1.0.0, < 1.0.20
- >= 10.0.0, < 10.0.23
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |