Lucene search

PRIOn knowledge basePRION:CVE-2024-22411

HistoryJan 16, 2024 - 10:15 p.m.

Cross site scripting

2024-01-1622:15:00

PRIOn knowledge base

www.prio-n.com

cross site scripting

html rendering

ruby on rails

avo framework

vulnerability

sanitization

action completion

exploit

malicious user

upgrade

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.9%

JSON

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

CPENameOperatorVersion
avoeq3.0.0 pre12
avolt2.47.0
avoge3.0.2
avolt3.3.0

Name	Operator	Version
avo	eq	3.0.0 pre12
avo	lt	2.47.0
avo	ge	3.0.2
avo	lt	3.3.0

References

github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347

github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258

github.com/avo-hq/avo/releases/tag/v2.47.0

github.com/avo-hq/avo/releases/tag/v3.3.0

github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh