Stored cross-site scripting (XSS) in `key_value` field in Avo
CVE-2024-22191

7.3HIGH

Key Information:

Vendor

avo-hq

Status
avo
Vendor
CVE Published:
16 January 2024

What is CVE-2024-22191?

Avo, a popular framework for creating admin panels in Ruby on Rails applications, has a stored cross-site scripting (XSS) vulnerability affecting versions v3.2.3 and v2.46.0. This vulnerability arises from improper sanitization of the key_value field, allowing malicious users to inject arbitrary JavaScript code into the browser of anyone accessing the admin interface. Attackers can exploit this flaw to steal sensitive information or manipulate session data, potentially leading to account hijacking or redirection to harmful websites. Users are strongly advised to upgrade to Avo v3.2.4 or v2.47.0, which contain patches addressing this security issue.

Affected Version(s)

avo >= 3.0.0.beta1, < 3.2.4 < 3.0.0.beta1, 3.2.4

avo < 2.47.0 < 2.47.0

References

https://github.com/avo-hq/avo/security/advisories/GHSA-gh...
x_refsource_CONFIRM
https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744b...
x_refsource_MISC
https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c86...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.