Lucene search

RubySecRUBY:AVO-2024-22411

HistoryJan 16, 2024 - 9:00 p.m.

Cross-site scripting (XSS) in Action messages on Avo

2024-01-1621:00:00

RubySec

github.com

cross-site scripting

avo framework

ruby on rails

html injection

security update

vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

AI Score

6.2

Confidence

High

JSON

Avo is a framework to create admin panels for Ruby on Rails apps.
In Avo 3 pre12 any HTML inside text that is passed to error or
succeed in an Avo::BaseAction subclass will be rendered directly
without sanitization in the toast/notification that appears in the
UI on Action completion. A malicious user could exploit this
vulnerability to trigger a cross site scripting attack on an
unsuspecting user.

This issue has been addressed in the 3.0.2 release of Avo. Users
are advised to upgrade.

Affected configurations

Vulners

Node

rubyavoRange≤3.3.0

rubyavoRange2.0–2.47

VendorProductVersionCPE
rubyavo*cpe:2.3:a:ruby:avo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	avo	*	cpe:2.3:a:ruby:avo::::::::

References

github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh