CVE-2024-22411

Name of the Vulnerable Software and Affected Versions Avo versions prior to 2.47.0 Avo versions prior to 3.3.0

Description Avo is a framework to create admin panels for Ruby on Rails apps. In Avo, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this to trigger a cross-site scripting attack on an unsuspecting user.

Recommendations For versions prior to 2.47.0, upgrade to version 2.47.0 or later. For versions prior to 3.3.0, upgrade to version 3.3.0 or later. As a temporary workaround, consider disabling the error and succeed methods in Avo::BaseAction subclasses until a patch is available. Restrict access to the Avo::BaseAction subclass to minimize the risk of exploitation.