Stored XSS (Cross Site Scripting) in html content based fields of avo
CVE-2023-34103

5.4MEDIUM

Key Information:

Vendor: avo-hq
Status: avo
Vendor: CVE Published:; 5 June 2023

What is CVE-2023-34103?

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit 7891c01e which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

Affected Version(s)

avo <= 2.33.2 <= 2.33.2

avo >= 3.0.0.pre1, <= 3.0.0.pre12 <= 3.0.0.pre1, 3.0.0.pre12

References

https://github.com/avo-hq/avo/security/advisories/GHSA-5c...

x_refsource_CONFIRM

https://github.com/avo-hq/avo/commit/7891c01e1fba9ca5d7db...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2023
Vulnerability Reserved
May 25, 2023

CVE-2023-34103 Data

JSON