{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "10.0.0" }, { "fixed": "10.0.23" }, { "introduced": "11.0.0" }, { "fixed": "14.10.1" }, { "introduced": "15.0.0" }, { "last_affected": "22.0.28" }, { "introduced": "23.0.0" }, { "fixed": "23.3.13" }, { "introduced": "24.0.0" }, { "fixed": "24.0.6" }, { "introduced": "0" }, { "last_affected": "24.1.0-alpha1" }, { "introduced": "0" }, { "last_affected": "24.1.0-alpha2" }, { "introduced": "0" }, { "last_affected": "24.1.0-alpha3" }, { "introduced": "0" }, { "last_affected": "24.1.0-alpha4" }, { "introduced": "0" }, { "last_affected": "24.1.0-alpha5" }, { "introduced": "0" }, { "last_affected": "24.1.0-alpha6" }, { "introduced": "0" }, { "last_affected": "24.1.0-beta1" } ] }, "events": [ { "introduced": "7ac406600a3c1a228e15ba253fe844f7e13771a0" }, { "fixed": "7a9403dc6515f4ecd99a169339b43f3d6b096064" }, { "introduced": "75cb16838a5b87c6e1a15b9e453e0d7c90cc1d53" }, { "fixed": "954586e69fb7d7fe301dfead80e5859e23686357" }, { "introduced": "9efda1b1e0a27769eef9292dd7799d8fea77e633" }, { "last_affected": "5822e673320817e8dc9baf6015f271afe07cef24" }, { "introduced": "e107b1973a390cafc749031e033f37de7b9a4a1f" }, { "fixed": "d84509ab9238212ebba0dce7b17d25729292ff95" }, { "introduced": "a45cc881358732b3d594b20750f1369a65d7237a" }, { "fixed": "7e7de81e736b39082b08da388f8f6bd99ceee451" }, { "introduced": "0" }, { "last_affected": "b5c441f2178926e003653d466d09d8fb40f7c35f" }, { "introduced": "0" }, { "last_affected": "f88b3ceb3f3626ae082477cfc3dcf889765f802d" }, { "introduced": "0" }, { "last_affected": "f6b560f2bcf42a40027c6fbff40b0cc8a2cdd639" }, { "introduced": "0" }, { "last_affected": "1d42f366aecac52015db2f997d72ffa7d4fca7df" }, { "introduced": "0" }, { "last_affected": "61f9aca5d70c09b4d3b2f9753346938b81b43d62" }, { "introduced": "0" }, { "last_affected": "1b348c9cae89e22c9e82c977f9b35bfa8f5e7b5c" }, { "introduced": "0" }, { "last_affected": "dc2b36aeeb51e7d1c2dcc349d051d9a0a44228cc" } ], "repo": "https://github.com/vaadin/vaadin", "type": "GIT" } ] } ], "details": "When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.\n\n", "id": "CVE-2023-25499", "modified": "2026-03-13T21:49:05.950582533Z", "published": "2023-06-22T13:15:09.660Z", "references": [ { "type": "ADVISORY", "url": "https://vaadin.com/security/CVE-2023-25499" }, { "type": "FIX", "url": "https://github.com/vaadin/flow/pull/15885" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ] }