CVE-2023-34103

Name of the Vulnerable Software and Affected Versions Avo (affected versions not specified)

Description The issue concerns some Avo fields being vulnerable to Cross Site Scripting (XSS) when rendering HTML-based content. Attackers need form edit privilege to exploit this vulnerability, but the results are stored, and no specific timing is required. This can be exploited by an attacker to store JavaScript code in any trix field by intercepting the request and modifying the post data. The impact of this vulnerability is that attackers may be able to gain access to accounts that require special protection, such as administrators of the web service.

Recommendations To resolve the issue, users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation. Additionally, the content of a field that contains HTML code should be sanitized using the according Rails helper, which uses a whitelist of known-safe tags and attributes. This security consideration should also be applied to the as html attribute because it may contain user-controlled input. As a temporary workaround, consider disabling the trix field until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.