CVE-2024-22191

Name of the Vulnerable Software and Affected Versions Avo versions 2.46.0 through 3.2.3

Description A stored cross-site scripting (XSS) vulnerability was found in the key value field of Avo. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The value of the key value is inserted directly into the HTML code and is not properly sanitized before it is inserted into the HTML code. This vulnerability could be used to steal sensitive information from victims that could be used to hijack victims' accounts or redirect them to malicious websites.

Recommendations For Avo versions 2.46.0 through 3.2.3, upgrade to version 3.2.4 or 2.47.0 to resolve the issue. As a temporary workaround, consider disabling the key value field until a patch is available. Restrict access to the key value field to minimize the risk of exploitation. Avoid using the key value field in the affected Avo versions until the issue is resolved.