6.5

CVE-2024-22411

Exploit

Cross site scripting in Action messages on Avo

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AvohqAvo SwPlatformruby Version < 2.47.0
AvohqAvo SwPlatformruby Version >= 3.0.2 < 3.3.0
AvohqAvo Version3.0.0 Updatepre12 SwPlatformruby
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.71% 0.486
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 6.5 2.3 3.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347
Patch
https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258
Patch
https://github.com/avo-hq/avo/releases/tag/v2.47.0
Release Notes
https://github.com/avo-hq/avo/releases/tag/v3.3.0
Release Notes
https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh
Vendor Advisory
Exploit