CVE-2024-22411

MEDIUM LAB

Avo < 2.47.0 and 3.0.0.beta1-3.3.0 - Stored Cross-Site Scripting via Action Toast Notification

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-22411. PoCs published by tamaloa.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2024-22411, demonstrating an XSS vulnerability in the Avo admin panel. The exploit is embedded in the `ToggleInactive` action, which injects a malicious script into the error message.

Description

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

Exploits (1)

nomisec WORKING POC

by tamaloa · poc

https://github.com/tamaloa/avo-CVE-2024-22411

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-22411, demonstrating an XSS vulnerability in the Avo admin panel. The exploit is embedded in the `ToggleInactive` action, which injects a malicious script into the error message.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Avo admin panel (Ruby on Rails)

Auth required

Prerequisites: Access to the Avo admin panel · Ability to trigger the `ToggleInactive` action

MITRE ATT&CK