CVE-2024-22411

2024-01-1622:15:46

CWE-79

GitHub_M

web.nvd.nist.gov

145

avo

ruby on rails

admin panel

html injection

cross site scripting

vulnerability

security

release

upgrade

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

19.7%

JSON

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

Affected configurations

Nvd

Vulners

Node

avohqavoRange<2.47.0ruby

avohqavoRange3.0.2–3.3.0ruby

avohqavoMatch3.0.0pre12ruby

VendorProductVersionCPE
avohqavo*cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*
avohqavo3.0.0cpe:2.3:a:avohq:avo:3.0.0:pre12:*:*:*:ruby:*:*

Vendor	Product	Version	CPE
avohq	avo	*	cpe:2.3:a:avohq:avo::::::ruby::*
avohq	avo	3.0.0	cpe:2.3:a:avohq:avo:3.0.0:pre12::::ruby::*

CNA Affected

[
  {
    "vendor": "avo-hq",
    "product": "avo",
    "versions": [
      {
        "version": ">= 3.0.0.beta1, < 3.3.0",
        "status": "affected"
      },
      {
        "version": "< 2.47.0",
        "status": "affected"
      }
    ]
  }
]