CVE-2021-33604: 
Java vulnerability analysis and mitigation

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. The vulnerability was discovered in May 2021 and publicly disclosed on June 24, 2021 (Vaadin Security).

The vulnerability is caused by improper URL sanitation with the frontend development server, which could allow cross-site scripting attacks. The issue has been assigned a CVSS v3.1 Base Score of 2.5 (Low) with the vector CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N. This indicates a local attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, low confidentiality impact, and no impact on integrity or availability (AttackerKB).

The vulnerability could allow an attacker to gain access to a locally running Vaadin application in the browser by executing cross-site scripting from another web page the developer has opened. This could potentially expose sensitive data like production database clones if present in the development environment (Vaadin Security).

Users of affected versions should upgrade to fixed versions: Vaadin 14.6.2 or newer for versions 14.0.0-14.6.1, Vaadin 19.0.9 or newer for versions 19.0.0-19.0.8. Versions 15-18 are no longer supported and users should update to the latest version 19. For the flow-server component, version 2.6.2 or higher is recommended for the 2.x series, and version 6.0.10 or higher for the 6.x series (Vaadin Security).