CVE-2024-22411

MEDIUM EPSS 48.9%
Published Jan 16, 20242y ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Jan 16, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
48.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 3

VendorProductVersionRange
avohqavo* <2.47.0
avohqavo*≥3.0.2  –  <3.3.0
avohqavo3.0.0any

References 5

  • github.com https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347
    Patch
  • github.com https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258
    Patch
  • github.com https://github.com/avo-hq/avo/releases/tag/v2.47.0
    Release Notes
  • github.com https://github.com/avo-hq/avo/releases/tag/v3.3.0
    Release Notes
  • github.com https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347
    Patch
  • github.com https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258
    Patch