{ "schema_version": "1.4.0", "id": "GHSA-q74r-4xw3-ppx9", "modified": "2021-04-16T23:15:34Z", "published": "2021-04-19T14:49:48Z", "aliases": [ "CVE-2019-25028" ], "summary": "Stored cross-site scripting in Grid component in Vaadin 7 and 8", "details": "Missing variable sanitization in `Grid` component in `com.vaadin:vaadin-server` versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.\n\n- https://vaadin.com/security/cve-2019-25028", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "com.vaadin:vaadin-bom" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.4.0" }, { "fixed": "7.7.20" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.vaadin:vaadin-bom" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.8.5" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.vaadin:vaadin-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.4.0" }, { "fixed": "7.7.20" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "com.vaadin:vaadin-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.8.5" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/vaadin/framework/security/advisories/GHSA-q74r-4xw3-ppx9" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25028" }, { "type": "WEB", "url": "https://github.com/vaadin/framework/pull/11644" }, { "type": "WEB", "url": "https://github.com/vaadin/framework/pull/11645" }, { "type": "WEB", "url": "https://vaadin.com/security/cve-2019-25028" } ], "database_specific": { "cwe_ids": [ "CWE-79", "CWE-80" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-04-16T23:15:34Z", "nvd_published_at": "2021-04-23T16:15:00Z" } }