CVE-2024-22411
Last modified
CVE-2024-22411 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. EPSS estimates a 0.71% chance of exploitation in the next 30 days.
Description
Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Avohq | Avo | < 2.47.0 | — |
| Avohq | Avo | >= 3.0.2, < 3.3.0 | — |
| Avohq | Avo | 3.0.0 | Pre12 |
References
- https://github.com/avo-hq/avo/releases/tag/v2.47.0Release Notes
- https://github.com/avo-hq/avo/releases/tag/v3.3.0Release Notes
- https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfhExploit, Vendor Advisory
- https://github.com/avo-hq/avo/releases/tag/v2.47.0Release Notes
- https://github.com/avo-hq/avo/releases/tag/v3.3.0Release Notes
- https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfhExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-22411?
How severe is CVE-2024-22411?
How do I fix CVE-2024-22411?
Are you affected by CVE-2024-22411?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST