Lucene search

GoogleOSV:CVE-2024-22411

HistoryJan 16, 2024 - 10:15 p.m.

CVE-2024-22411

2024-01-1622:15:46

Google

osv.dev

avo framework

html rendering

vulnerability

fixed

upgrade

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

19.8%

JSON

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

CPENameOperatorVersion
avoeq0.1.9
avoeq1.13.2
avoeq2.30.1
avoeq2.31.0
avoeq2.30.2
avoeq0.1.3
avoeq2.28.0
avoeq0.4.5
avoeq1.20.0
avoeq2.4.0

Name	Operator	Version
avo	eq	0.1.9
avo	eq	1.13.2
avo	eq	2.30.1
avo	eq	2.31.0
avo	eq	2.30.2
avo	eq	0.1.3
avo	eq	2.28.0
avo	eq	0.4.5
avo	eq	1.20.0
avo	eq	2.4.0

Rows per page:

1-10 of 2351

References

github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347

github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258

github.com/avo-hq/avo/releases/tag/v2.47.0

github.com/avo-hq/avo/releases/tag/v3.3.0

github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh