Lucene search

Veracode Vulnerability DatabaseVERACODE:45083

HistoryJan 18, 2024 - 12:21 p.m.

Cross Site Scripting (XSS)

2024-01-1812:21:08

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross site scripting

avo::baseaction

vulnerability

javascript

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.9%

JSON

avo is vulnerable to Cross Site Scripting (XSS). The vulnerability is due to improper sanitization of text passed in error or succeed messages within the Avo::BaseAction subclass. An attacker can inject arbitrary JavaScript into the message fields resulting in XSS.

CPENameOperatorVersion
avole3.2.3
avole3.2.3

CPE	Name	Operator	Version
	avo	le	3.2.3
	avo	le	3.2.3

References

github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347

github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258

github.com/avo-hq/avo/releases/tag/v2.47.0

github.com/avo-hq/avo/releases/tag/v3.3.0

github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh