CVE-2024-22411
Description
Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.
Risk Information
Base Score
5.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
5.77
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2024-22411 are fixed in Ruby-avo 3.3.0 | Windows |
| Vulnerabilities CVE-2024-22411 are fixed in Ruby-avo 2.47.0 | Windows |
| Vulnerabilities CVE-2024-22411 are fixed in Ruby-avo for Linux 3.3.0 | Linux |
| Vulnerabilities CVE-2024-22411 are fixed in Ruby-avo for Linux 2.47.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234