Stevegeek

**Name of the Vulnerable Software and Affected Versions** Avo versions prior to 2.47.0 Avo versions prior to 3.3.0 **Description** Avo is a framework to create admin panels for Ruby on Rails apps. In Avo, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this to trigger a cross-site scripting attack on an unsuspecting user. **Recommendations** For versions prior to 2.47.0, upgrade to version 2.47.0 or later. For versions prior to 3.3.0, upgrade to version 3.3.0 or later. As a temporary workaround, consider disabling the `error` and `succeed` methods in `Avo::BaseAction` subclasses until a patch is available. Restrict access to the `Avo::BaseAction` subclass to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** encoded id-rails versions before 1.0.0.beta2 **Description** The issue is an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an extremely long `id` parameter. This can lead to high CPU consumption and allocation of a large number of intermediate objects, causing the application to spend a significant amount of time decoding the ID. **Recommendations** Upgrade to version 1.0.0.beta2, which introduces a new option to limit the length of IDs that can be decoded, mitigating the vulnerability. As a temporary workaround, consider restricting access to the `id` parameter in the affected API endpoint until the issue is resolved.