summaryrefslogtreecommitdiffstats
path: root/WebContent
diff options
context:
space:
mode:
Diffstat (limited to 'WebContent')
-rw-r--r--WebContent/release-notes.html19
1 files changed, 16 insertions, 3 deletions
diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html
index 0347da0ce5..2719d69678 100644
--- a/WebContent/release-notes.html
+++ b/WebContent/release-notes.html
@@ -41,6 +41,7 @@
<ul>
<li><a href="#overview">Overview of Vaadin
@version@ Release</a></li>
+ <li><a href="#security-fixes">Security fixes</a></li>
<li><a href="#changelog">Change log for Vaadin
@version@</a></li>
<li><a href="#enhancements">Enhancements in Vaadin
@@ -68,10 +69,22 @@
<p>
Vaadin @version@ is a maintenance release that includes a
- number of new features and bug fixes, as listed in the <a
- href="#enhancements">list of enhancements</a> and <a
- href="#changelog">change log</a> below.
+ number of bug fixes, as listed in the <a href="#changelog">
+ change log</a> below.
</p>
+
+ <h3 id="security-fixes">Security fixes in Vaadin Framework 7.3.7</h3>
+
+ <p>
+ Vaadin 7.3.7 fixes an important security issue.
+ </p>
+ <p><b>Portlet error messages</b></p>
+ <p>
+ Proper escaping of HTML in portlet error messages was not ensured,
+ making a reflected cross-site scripting attack possible through
+ VaadinPortlet by making the user load a URL designed to include
+ an error message crafted by the attacker.
+ </p>
<!-- ================================================================ -->
<h3 id="changelog">Change log for Vaadin @version@</h3>