CVE-2023-25500
Vaadin vulnerable to possible information disclosure of class and method names in RPC response
3.5
LOW
CVSS 3.1
EPSS 0.30%
Description
### Description Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. https://vaadin.com/security/cve-2023-25500
How to fix CVE-2023-25500
To remediate CVE-2023-25500, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.21 or later
- —upgrade to 10.0.24 or later
Is CVE-2023-25500 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 1.0.0, < 1.0.21
- >= 10.0.0, < 10.0.24
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |