Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.
References
Link | Resource |
---|---|
https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347 | Patch |
https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258 | Patch |
https://github.com/avo-hq/avo/releases/tag/v2.47.0 | Release Notes |
https://github.com/avo-hq/avo/releases/tag/v3.3.0 | Release Notes |
https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh | Exploit Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-01-16T21:57:44.824Z
Updated: 2024-01-19T17:24:40.497Z
Reserved: 2024-01-10T15:09:55.550Z
Link: CVE-2024-22411
JSON object: View
NVD Information
Status : Analyzed
Published: 2024-01-16T22:15:46.420
Modified: 2024-01-24T18:54:46.323
Link: CVE-2024-22411
JSON object: View
Redhat Information
No data.
CWE