CVE-2023-25499: 
Java vulnerability analysis and mitigation

CVE-2023-25499 affects Vaadin versions 10.0.0 through 24.1.0.beta1, where non-visible components added to the UI on the server side result in content being sent to the browser. The vulnerability was discovered and reported by Kim Leppänen, and was publicly disclosed on June 22, 2023. The affected software includes multiple versions of Vaadin and its flow-server component (Vaadin Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. It is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue occurs specifically when adding non-visible components to the UI on the server side, which results in unintended content being transmitted to the browser (NVD).

The vulnerability can lead to potential information disclosure of sensitive content that was not intended to be visible to the client. This affects the confidentiality of the application while integrity and availability remain unaffected (Vaadin Advisory).

Users are advised to upgrade to fixed versions: Vaadin 10.0.23 for 10.x series, 14.10.1 or newer for 11.0.0-14.10.0, 22.1.0 for 15.0.0-22.0.28 (available on demand), 23.3.13 or newer for 23.x series, 24.0.6 or newer for 24.0.x series, and 24.1.0 or newer for 24.1.x series. For the flow-server component, specific version upgrades are recommended based on the version in use (Vaadin Advisory).