{"id":"CVE-2019-25028","details":"Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector","aliases":["GHSA-q74r-4xw3-ppx9"],"modified":"2026-03-14T09:37:33.961216Z","published":"2021-04-23T16:15:08.267Z","references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2019-25028"},{"type":"FIX","url":"https://github.com/vaadin/framework/pull/11644"},{"type":"FIX","url":"https://github.com/vaadin/framework/pull/11645"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/framework","events":[{"introduced":"fb74e3d03793a7f9c433a7be583d55e3e2d1c35d"},{"fixed":"c39400b55da214b2b6eb87260fb8f485a78a8aa1"}],"database_specific":{"versions":[{"introduced":"8.0.0"},{"fixed":"8.8.5"}]}}],"database_specific":{"vanir_signatures":[{"id":"CVE-2019-25028-3ad2e415","signature_type":"Function","digest":{"length":325,"function_hash":"224089112780054838281096973252255515795"},"source":"https://github.com/vaadin/framework/commit/c39400b55da214b2b6eb87260fb8f485a78a8aa1","deprecated":false,"target":{"function":"testBothVisibleInitially","file":"uitest/src/test/java/com/vaadin/tests/components/window/WindowTwinColSelectTest.java"},"signature_version":"v1"},{"id":"CVE-2019-25028-95f41e84","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["323027927719322879694646477660480758366","140843719381022169385478702298695908139","223121810745035292844364844150107232529","241783893905197447019632742179906486824","118877264746139548812131047659602460117","212798713455239224283024788850551583708","268359675270704258968730407281331665124","43624132584534113624707093921107228950","142659331150020933318034414284366553825","262969033099155336909030685456245982774","296315255155010085321854487652361016702","293809256608442915435225365561121041433","43624132584534113624707093921107228950","142659331150020933318034414284366553825","262969033099155336909030685456245982774","232005886596506853569304581689489718279"]},"source":"https://github.com/vaadin/framework/commit/c39400b55da214b2b6eb87260fb8f485a78a8aa1","deprecated":false,"target":{"file":"uitest/src/test/java/com/vaadin/tests/components/window/WindowTwinColSelectTest.java"},"signature_version":"v1"},{"id":"CVE-2019-25028-a2f91c9d","signature_type":"Function","digest":{"length":1410,"function_hash":"336641603681000015035378260319375439394"},"source":"https://github.com/vaadin/framework/commit/c39400b55da214b2b6eb87260fb8f485a78a8aa1","deprecated":false,"target":{"function":"testDragResizeHiddenColumnSize","file":"uitest/src/test/java/com/vaadin/tests/components/grid/GridResizeHiddenColumnTest.java"},"signature_version":"v1"},{"id":"CVE-2019-25028-bc4e3af8","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["145802151508175598029430370079265957318","297195917877074439204303470271283275343","263492562077096081474736922498611609","68961282755823214253510235711551723968","262127668737227261877694020220696387728","230523905564265709666962162540234440708","47900019607868529310579129746089630123","311624149587918573141227453126641427703","271179997655227917557505329999567111820","217596032764845595737875797920695929474","103388785315313009794110552235790421903"]},"source":"https://github.com/vaadin/framework/commit/c39400b55da214b2b6eb87260fb8f485a78a8aa1","deprecated":false,"target":{"file":"uitest/src/test/java/com/vaadin/tests/components/grid/GridResizeHiddenColumnTest.java"},"signature_version":"v1"},{"id":"CVE-2019-25028-c31af355","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["133205553974526904938020591278604924244","140086636728589380866893370144692075481","72308381027048159490602102591725513370","77708941278154773478948984726792384600","34034289072158396475208353483333544981","157769354181333844384100947133441727370","185710998852128006652124351544874218493","26585018608724908099507441366239354922","169385461260460829198110331323426997539"]},"source":"https://github.com/vaadin/framework/commit/c39400b55da214b2b6eb87260fb8f485a78a8aa1","deprecated":false,"target":{"file":"uitest/src/test/java/com/vaadin/tests/components/combobox/ComboBoxClosePopupRetainTextTest.java"},"signature_version":"v1"},{"id":"CVE-2019-25028-e7f36790","signature_type":"Function","digest":{"length":565,"function_hash":"289025086072825599291112012723523489650"},"source":"https://github.com/vaadin/framework/commit/c39400b55da214b2b6eb87260fb8f485a78a8aa1","deprecated":false,"target":{"function":"testBothVisibleAfterResize","file":"uitest/src/test/java/com/vaadin/tests/components/window/WindowTwinColSelectTest.java"},"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25028.json","unresolved_ranges":[{"events":[{"introduced":"7.4.0"},{"fixed":"7.7.20"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}