CVE-2023-25500

LOW3.5EPSS 0.30%

Vaadin vulnerable to possible information disclosure of class and method names in RPC response

Published: 6/22/2023Modified: 2/16/2024

Description

### Description Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. https://vaadin.com/security/cve-2023-25500

Affected packages (2)

Maven/com.vaadin:flow-server>= 1.0.0, < 1.0.21
Maven/com.vaadin:vaadin>= 10.0.0, < 10.0.24

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-25500
PATCHhttps://github.com/vaadin/platform
WEBhttps://github.com/vaadin/flow/pull/16935
WEBhttps://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x
WEBhttps://vaadin.com/security/cve-2023-25500