{"id":"CVE-2021-33604","details":"URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.","aliases":["GHSA-c99r-67x4-whj6"],"modified":"2026-04-10T04:34:04.657373Z","published":"2021-06-24T12:15:08.157Z","references":[{"type":"ADVISORY","url":"https://vaadin.com/security/cve-2021-33604"},{"type":"FIX","url":"https://github.com/vaadin/flow/pull/11099"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vaadin/flow","events":[{"introduced":"8e306579f157678c3baa3f3f63f406d073668161"},{"last_affected":"028ba87748c990948f44fe47c6b680c8b5e197d2"},{"introduced":"4b6ca4330163c4e976b32d03880fe2154a9d1ca7"},{"last_affected":"60b4fd8e59948e2a6a5f8af1988a3adc45563ffc"},{"introduced":"6a409a8b4b01b18dc2ca30c59395aeeb0cffbd2c"},{"last_affected":"9ebb07ae013fd667dec105c9cde3aaf9acc23e81"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"last_affected":"2.6.1"},{"introduced":"3.0.0"},{"last_affected":"5.0.0"},{"introduced":"6.0.0"},{"last_affected":"6.0.9"}]}},{"type":"GIT","repo":"https://github.com/vaadin/vaadin","events":[{"introduced":"ca9cf99092245a31a84b317adf1d79a397970d27"},{"last_affected":"e19775cf4b00eb14e98acd9b0452642c2a7010ff"},{"introduced":"9efda1b1e0a27769eef9292dd7799d8fea77e633"},{"last_affected":"a5bc6b4832e649fb16243e2bc0ee9b2941815e3b"},{"introduced":"3981409421683b6f4a796f37b67433d36b6a7ca1"},{"last_affected":"b41a52e3d8a4d4e90726e15cba6e2ae31b4722ba"}],"database_specific":{"versions":[{"introduced":"14.0.0"},{"last_affected":"14.6.1"},{"introduced":"15.0.0"},{"last_affected":"18.0.0"},{"introduced":"19.0.0"},{"last_affected":"19.0.8"}]}}],"versions":["2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.1.0.alpha1","2.1.0.beta1","2.1.0.beta3","2.2.0.alpha1","2.2.0.alpha10","2.2.0.alpha11","2.2.0.alpha12","2.2.0.alpha13","2.2.0.alpha14","2.2.0.alpha15","2.2.0.alpha16","2.2.0.alpha2","2.2.0.alpha3","2.2.0.alpha4","2.2.0.alpha5","2.2.0.alpha6","2.2.0.alpha7","2.2.0.alpha8","2.2.0.alpha9","2.2.0.beta1","2.2.0.beta2","2.2.0.rc1","2.2.alpha14","2.3.0","2.3.0.alpha1","2.3.0.beta1","2.3.0.beta2","2.3.0.beta3","2.3.1","2.3.2","2.3.3","2.3.4","2.4.0","2.4.0.alpha1","2.4.0.beta1","2.4.0.beta2","2.5.0.alpha1","2.5.0.alpha2","2.6.0","2.6.0.alpha1","2.6.0.beta1","2.6.0.beta2","2.6.0.rc1","2.6.1","3.0.0.alpha17","3.0.0.alpha5","3.0.0.beta1","3.0.0.beta2","3.0.0.beta3","3.0.0.beta4","3.2.0.alpha1","3.2.0.alpha2","3.2.0.alpha3","3.2.0.alpha4","3.2.0.alpha5","3.2.0.alpha6","3.2.0.alpha7","4.0.0.alpha1","4.0.0.alpha2","4.0.0.alpha3","4.0.0.beta1","5.0.0","5.0.0.alpha1","5.0.0.beta1","5.0.0.rc1","6.0.0","6.0.0.rc1","6.0.1","6.0.2","6.0.3","6.0.4","6.0.5","6.0.6","6.0.7","6.0.8","6.0.9","v14.0.0","v14.0.1","v14.0.2","v14.1.0","v14.1.0-alpha1","v14.1.0-alpha2","v14.1.0-alpha3","v14.1.0-alpha4","v14.1.0-alpha5","v14.1.0-beta1","v14.1.0-beta2","v14.1.0-beta3","v14.1.0-rc1","v14.1.1","v14.1.2","v14.2.0","v14.2.0-alpha1","v14.2.0-alpha10","v14.2.0-alpha11","v14.2.0-alpha2","v14.2.0-alpha3","v14.2.0-alpha4","v14.2.0-alpha5","v14.2.0-alpha6","v14.2.0-alpha7","v14.2.0-alpha8","v14.2.0-alpha9","v14.2.0-beta1","v14.2.0-rc1","v14.3.0","v14.3.0-alpha1","v14.3.0-beta1","v14.3.0-beta2","v14.3.0-beta3","v14.3.0-rc1","v14.4.0","v14.4.0-alpha1","v14.4.0-beta1","v14.4.0-beta2","v14.4.0-rc1","v14.5.0-alpha1","v14.5.0-alpha2","v14.5.0-alpha3","v14.5.0-beta1","v14.5.0-rc1","v14.6.0","v14.6.0-alpha1","v14.6.0-alpha2","v14.6.0-beta1","v14.6.0-beta2","v14.6.0-rc1","v14.6.1","v15.0.0-alpha1","v15.0.0-alpha10","v15.0.0-alpha11","v15.0.0-alpha12","v15.0.0-alpha13","v15.0.0-alpha14","v15.0.0-alpha15","v15.0.0-alpha2","v15.0.0-alpha3","v15.0.0-alpha4","v15.0.0-alpha5","v15.0.0-alpha6","v15.0.0-alpha7","v15.0.0-alpha8","v15.0.0-alpha9","v15.0.0-beta1","v15.0.0-beta2","v15.0.0-beta3","v15.0.0-beta4","v15.0.0-beta5","v15.0.0-rc1","v16.0.0-alpha1","v16.0.0-alpha2","v16.0.0-alpha3","v17.0.0","v17.0.0-alpha1","v17.0.0-alpha2","v17.0.0-alpha3","v17.0.0-alpha4","v17.0.0-alpha5","v17.0.0-alpha6","v17.0.0-alpha7","v17.0.0-beta1","v17.0.0-beta2","v17.0.0-beta3","v17.0.0-rc1","v17.0.0-rc2","v18.0.0","v18.0.0-alpha1","v18.0.0-beta1","v18.0.0-beta2","v18.0.0-beta3","v18.0.0-rc1","v18.0.0-rc2","v19.0.0","v19.0.1","v19.0.2","v19.0.3","v19.0.4","v19.0.5","v19.0.6","v19.0.7","v19.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33604.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}]}