CVE-2019-25027: 
Java vulnerability analysis and mitigation

Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL. The vulnerability was disclosed on May 27, 2019, and has been assigned a CVSS v3.1 base score of 6.1 (Medium severity) (Vaadin Security).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue due to improper neutralization of script in an error message web page (CWE-81). The default RouteNotFoundError view could be exploited to execute unwanted JavaScript in a user's browser when the user opens a specially crafted URL, due to the lack of proper output sanitization (Vaadin Security).

When successfully exploited, this vulnerability allows attackers to execute malicious JavaScript code in the context of the user's browser session. The CVSS metrics indicate low impact on both confidentiality and integrity, with no impact on availability. The attack requires user interaction and can affect resources beyond the security scope of the affected component (Vaadin Security).

Users of affected versions should upgrade to fixed versions: Vaadin 10.0.0-10.0.13 users should upgrade to 10.0.14 or newer, Vaadin 13.0.0-13.0.5 users should upgrade to 13.0.6 or newer. For the affected flow-server component, version 1.0.0-1.0.10 should be upgraded to ≥1.0.11, and version 1.4.0-1.4.2 should be upgraded to ≥1.4.3. Vaadin versions 11-12 are no longer supported and users should upgrade to version 13.0.6 or newer (Vaadin Security).