CVE-2024-22191

2024-01-1622:15:46

CWE-79

GitHub_M

web.nvd.nist.gov

avo

ruby on rails

xss

vulnerability

security

update

cve-2024-22191

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting (XSS) vulnerability was found in the key_value field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim’s browser. The value of the key_value is inserted directly into the HTML code. In the current version of Avo (possibly also older versions), the value is not properly sanitized before it is inserted into the HTML code. This vulnerability could be used to steal sensitive information from victims that could be used to hijack victims’ accounts or redirect them to malicious websites. Avo 3.2.4 and 2.47.0 include a fix for this issue. Users are advised to upgrade.

Affected configurations

Nvd

Vulners

Node

avohqavoRange<2.47.0ruby

avohqavoRange3.0.0–3.3.0ruby

VendorProductVersionCPE
avohqavo*cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*

Vendor	Product	Version	CPE
avohq	avo	*	cpe:2.3:a:avohq:avo::::::ruby::*

CNA Affected

[
  {
    "vendor": "avo-hq",
    "product": "avo",
    "versions": [
      {
        "version": ">= 3.0.0.beta1, < 3.2.4",
        "status": "affected"
      },
      {
        "version": "< 2.47.0",
        "status": "affected"
      }
    ]
  }
]