Lucene search

GoogleOSV:CVE-2023-34103

HistoryJun 05, 2023 - 11:15 p.m.

CVE-2023-34103

2023-06-0523:15:12

Google

osv.dev

avo

cross site scripting

xss

html

privilege

commit 7891c01e

security

vulnerability

configuration

csp

user access

mitigation

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.7%

JSON

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit 7891c01e which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

CPENameOperatorVersion
avoeq0.1.9
avoeq1.13.2
avoeq2.30.1
avoeq2.31.0
avoeq2.30.2
avoeq0.1.3
avoeq2.28.0
avoeq0.4.5
avoeq1.20.0
avoeq2.4.0

Name	Operator	Version
avo	eq	0.1.9
avo	eq	1.13.2
avo	eq	2.30.1
avo	eq	2.31.0
avo	eq	2.30.2
avo	eq	0.1.3
avo	eq	2.28.0
avo	eq	0.4.5
avo	eq	1.20.0
avo	eq	2.4.0

Rows per page:

1-10 of 1891

References

github.com/avo-hq/avo/commit/7891c01e1fba9ca5d7dbccc43d27f385e5d08563

github.com/avo-hq/avo/security/advisories/GHSA-5cr9-5jx3-2g39

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.7%

JSON

Related for OSV:CVE-2023-34103