CVE-2024-22411

MEDIUM

Avo <3 pre12 - XSS

Title source: llm

Description

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

Exploits (1)

nomisec WORKING POC

by tamaloa · poc

https://github.com/tamaloa/avo-CVE-2024-22411

View Code ZIP pw:eip

References (5)

[Patch] https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347

[Patch] https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258

[Release Notes] https://github.com/avo-hq/avo/releases/tag/v2.47.0

[Release Notes] https://github.com/avo-hq/avo/releases/tag/v3.3.0

[Exploit, Vendor Advisory] https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh

Scores

CVSS v3 6.5

EPSS 0.0577

EPSS Percentile 90.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Details

CWE

CWE-79

Status published

Products (3)

avohq/avo 3.0.0 pre12

avohq/avo < 2.47.0

rubygems/avo 3.0.0.beta1 - 3.3.0RubyGems

Published Jan 16, 2024

Tracked Since Feb 18, 2026