{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "1.0.0" }, { "fixed": "1.0.6" } ] }, "events": [ { "introduced": "3cd0c02025aba6de6fd78a8ea65c67483a721b4e" }, { "fixed": "894baa477588a9d1f09bb0e0442ce84f37263464" } ], "repo": "https://github.com/vaadin/flow", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "10.0.0" }, { "fixed": "10.0.8" }, { "introduced": "11.0.0" }, { "fixed": "11.0.3" } ] }, "events": [ { "introduced": "7ac406600a3c1a228e15ba253fe844f7e13771a0" }, { "fixed": "bc1efba687e0043bdf892ecbd59a8592ae4222f5" }, { "introduced": "75cb16838a5b87c6e1a15b9e453e0d7c90cc1d53" }, { "fixed": "4a04530dfe7f9de6b0d57df0441087e60251cb25" } ], "repo": "https://github.com/vaadin/vaadin", "type": "GIT" } ] } ], "details": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.", "id": "CVE-2018-25007", "modified": "2026-03-13T21:51:51.375921930Z", "published": "2021-04-23T16:15:07.933Z", "references": [ { "type": "ADVISORY", "url": "https://vaadin.com/security/cve-2018-25007" }, { "type": "FIX", "url": "https://github.com/vaadin/flow/pull/4774" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "type": "CVSS_V3" } ] }