CVE-2023-34103

2023-06-0523:15:12

CWE-79

GitHub_M

web.nvd.nist.gov

avo

ruby on rails

admin panel

cross site scripting

xss

html

security

vulnerability

csp

privilege escalation

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

23.5%

JSON

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit 7891c01e which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

Affected configurations

Nvd

Vulners

Node

avohqavoRange≤2.33.2ruby

avohqavoMatch3.0.0pre12ruby

VendorProductVersionCPE
avohqavo*cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*
avohqavo3.0.0cpe:2.3:a:avohq:avo:3.0.0:pre12:*:*:*:ruby:*:*

Vendor	Product	Version	CPE
avohq	avo	*	cpe:2.3:a:avohq:avo::::::ruby::*
avohq	avo	3.0.0	cpe:2.3:a:avohq:avo:3.0.0:pre12::::ruby::*

CNA Affected

[
  {
    "vendor": "avo-hq",
    "product": "avo",
    "versions": [
      {
        "version": "<= 2.33.2",
        "status": "affected"
      },
      {
        "version": ">= 3.0.0.pre1, <= 3.0.0.pre12",
        "status": "affected"
      }
    ]
  }
]