Flx-0X00

**Name of the Vulnerable Software and Affected Versions** Avo versions (affected versions not specified) **Description** The polymorphic field type in Avo stores classes to operate on when updating a record with user input and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. The issue is related to the use of `safe constantize` / `constantize` in Rails, which can search for classes within the Rails context and return the class for further use. Avo assumes that the class specified by the user request is a valid one and attempts to work with it, which may result in dangerous behavior and code execution. **Recommendations** To resolve the issue, Avo should be configured to never trust user-supplied input, especially when defining classes for records. Avo can evaluate the options list given for the polymorphic field and only allow strings from that list, using a white-list approach to prevent attackers from supplying unintended classes. As a temporary workaround, consider limiting access to untrusted users until a new release is made. At the moment, there is no information about a newer version that contains a fix for this vulnerability.