avo vulnerable to Stored XSS (Cross Site Scripting) in html content based fields

Summary

Some avo fields are vulnerable to XSS when rendering html based content.

Details

During the analysis of the web application, a rendered field was
discovered that did not filter JS / HTML tags in a safe way and can
be abused to execute js code on a client side. The trix field uses
the trix editor in the backend to edit rich text data which basically
operates with html tags. To display the stored data in a rendered view,
the HasHTMLAttributes concern is used. This can be exploited by an
attacker to store javascript code in any trix field by intercepting
the request and modifying the post data, as the trix editor does not
allow adding custom html or js tags on the frontend.

Impact

Unlike non-persistent XSS, persistent XSS does not require a social
engineering phase. Victims of this attack do not need to be tricked
into clicking a link or something like that. However, by exploiting
such a vulnerability on this particular target, attackers may be able
to gain access to accounts that require special protection, such as
administrators of the web service, which is what Avo is primarily
intended to be used for.

Recommendation

The content of a field that contains html code should be sanitized
using the according rails helper which uses a whitelist of known-safe
tags and attributes. Also this security consideration should be
applied to the “as_html” attribute as well because it may contain
user controlled input as well.

https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html