{"id":"GHSA-g8vp-2v5p-9qfh","summary":"Cross-site scripting (XSS) in Action messages on Avo","details":"Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.","aliases":["CVE-2024-22411"],"modified":"2024-02-16T08:21:46.009915Z","published":"2024-01-17T22:34:03Z","related":["CVE-2024-22411"],"database_specific":{"github_reviewed":true,"nvd_published_at":"2024-01-16T22:15:46Z","cwe_ids":["CWE-79"],"severity":"MODERATE","github_reviewed_at":"2024-01-17T22:34:03Z"},"references":[{"type":"WEB","url":"https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22411"},{"type":"WEB","url":"https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347"},{"type":"WEB","url":"https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258"},{"type":"PACKAGE","url":"https://github.com/avo-hq/avo"},{"type":"WEB","url":"https://github.com/avo-hq/avo/releases/tag/v2.47.0"},{"type":"WEB","url":"https://github.com/avo-hq/avo/releases/tag/v3.3.0"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2024-22411.yml"}],"affected":[{"package":{"name":"avo","ecosystem":"RubyGems","purl":"pkg:gem/avo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.0.beta1"},{"fixed":"3.3.0"}]}],"versions":["3.0.0.beta1","3.0.0.pre1","3.0.0.pre10","3.0.0.pre11","3.0.0.pre12","3.0.0.pre13","3.0.0.pre14","3.0.0.pre15","3.0.0.pre16","3.0.0.pre17","3.0.0.pre18","3.0.0.pre19","3.0.0.pre2","3.0.0.pre3","3.0.0.pre4","3.0.0.pre5","3.0.0.pre6","3.0.0.pre7","3.0.0.pre8","3.0.0.pre9","3.0.1.beta1","3.0.1.beta10","3.0.1.beta11","3.0.1.beta12","3.0.1.beta13","3.0.1.beta14","3.0.1.beta15","3.0.1.beta16","3.0.1.beta17","3.0.1.beta18","3.0.1.beta19","3.0.1.beta2","3.0.1.beta20","3.0.1.beta21","3.0.1.beta22","3.0.1.beta23","3.0.1.beta24","3.0.1.beta3","3.0.1.beta4","3.0.1.beta5","3.0.1.beta6","3.0.1.beta7","3.0.1.beta8","3.0.1.beta9","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.1.0","3.1.1","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.2.0","3.2.1","3.2.2","3.2.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-g8vp-2v5p-9qfh/GHSA-g8vp-2v5p-9qfh.json"}},{"package":{"name":"avo","ecosystem":"RubyGems","purl":"pkg:gem/avo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.47.0"}]}],"versions":["0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.3.1","0.3.2","0.4.1","0.4.10","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","0.5.0.beta1","0.5.0.beta10","0.5.0.beta11","0.5.0.beta12","0.5.0.beta13","0.5.0.beta14","0.5.0.beta15","0.5.0.beta2","0.5.0.beta3","0.5.0.beta4","0.5.0.beta5","0.5.0.beta6","0.5.0.beta7","0.5.0.beta8","0.5.0.beta9","1.0.0","1.0.1","1.0.2","1.0.4","1.0.5","1.1.0","1.1.0.pre.1","1.10.0","1.10.1","1.10.2","1.10.3","1.11.0","1.11.1","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.12.0","1.12.1","1.12.2","1.12.3","1.12.4","1.13.0","1.13.1","1.13.2","1.13.3","1.14.0","1.15.0","1.15.0.pre.1","1.16.0","1.16.1","1.16.2","1.16.3","1.16.4","1.17.0","1.17.1","1.18.0","1.18.0.pre.1","1.18.0.pre.2","1.18.0.pre.3","1.18.1","1.18.2","1.18.2.pre.0","1.19.0","1.19.1.pre.1","1.19.1.pre.10","1.19.1.pre.11","1.19.1.pre.2","1.19.1.pre.3","1.19.1.pre.4","1.19.1.pre.5","1.19.1.pre.6","1.19.1.pre.7","1.19.1.pre.8","1.19.1.pre.9","1.2.10","1.2.11.pre.1","1.2.11.pre.2","1.2.11.pre.3","1.2.11.pre.4","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.6.pre.1","1.2.7","1.2.8","1.2.9","1.20.1","1.20.2.pre.1","1.20.2.pre.2","1.21.0","1.21.0.pre.1","1.21.1.pre.1","1.22.0","1.22.0.pre.1","1.22.1","1.22.1.pre.1","1.22.1.pre.2","1.22.2","1.22.3","1.22.4","1.23.0","1.24.0","1.24.1","1.24.2","1.25.0","1.25.1","1.25.2","1.3.0","1.3.0.pre.1","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.5.pre.1","1.4.0","1.4.0.pre.1","1.4.1","1.4.2","1.4.3","1.4.4","1.4.4.pre.1","1.4.5.pre.1","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.6.0","1.6.1","1.6.2.pre.1","1.6.3.pre.1","1.6.3.pre.2","1.6.3.pre.3","1.6.4.pre.1","1.7.0","1.7.1","1.7.2","1.7.3","1.7.3.pre.1","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.9.0","1.9.1","2.0.0","2.1.0","2.1.1","2.1.2.pre1","2.1.2.pre2","2.10.0","2.10.2","2.10.3.pre.1","2.11.0","2.11.1","2.11.1.pre.1","2.11.1.pre.2","2.11.1.pre.3","2.11.2.pre.1","2.11.2.pre.2","2.11.2.pre.3","2.11.3.pre.1","2.11.3.pre.2","2.11.3.pre.3","2.12.0","2.12.1.pre.1","2.13.0","2.13.1","2.13.2.pre.1","2.13.2.pre.2","2.13.3.pre.1","2.13.3.pre.2","2.13.3.pre.3","2.13.3.pre.4","2.13.4.pre.1","2.13.5.pre.1","2.13.5.pre.2","2.13.6.pre.1","2.13.6.pre.2","2.14.0","2.14.1","2.14.1.pre.1","2.14.2","2.14.2.pre.1","2.14.3.pre.1.branding","2.14.3.pre.2.tailwindcss","2.14.3.pre.3.jsbundling","2.14.3.pre.4.tosqlfix","2.14.3.pre.5.nosprockets","2.14.3.pre.6.nosprockets","2.14.3.pre.7.polytranslations1","2.15.0","2.15.1","2.15.2","2.15.2.pre.1","2.15.3","2.15.3.pre.1.data.attrs.to.sidebar.items","2.16.0","2.16.1.pre.1.nativefields","2.17.0","2.17.1.pre.1.zeitwerk.eager.load.dir","2.17.1.pre.2.customauthorizationclients","2.17.1.pre.3","2.17.1.pre.4.issue.1342","2.17.1.pre.5.stackedlayout","2.18.0","2.18.1","2.18.1.pre.1.eagerloaddirs","2.19.0","2.2.0","2.2.1","2.2.2","2.20.0","2.21.0","2.21.1.pre.issue1444","2.21.1.pre.issue1450","2.21.1.pre.pr1476","2.21.1.pre.pr1484","2.21.2.pre.pr1486","2.21.3.pre.pr1489","2.22.0","2.23.0","2.23.1","2.23.2","2.23.3.pre.1.pr1529","2.24.0","2.24.1","2.25.0","2.25.1.pre.1.pr1579","2.26.0","2.26.1.pr1584.pre.1","2.26.2.pre.pr1579","2.26.3.pre.pr1601","2.27.0","2.27.1","2.27.2.pre.pr1606","2.28.0","2.28.1.pre.pr1642","2.28.2.pre.pr1642","2.28.3.pre.pr1646","2.29.0","2.29.1","2.29.1.pre.pr1652","2.3.0","2.3.1.pre.1","2.3.1.pre.2","2.3.1.pre.3","2.3.1.pre.4","2.3.1.pre.5","2.3.1.pre.6","2.30.0","2.30.1","2.30.1.pre1.pr1683","2.30.1.pre2.pr1683","2.30.1.pre3.pr1683","2.30.1.pre4.pr1683","2.30.2","2.31.0","2.32.0","2.32.1","2.32.2","2.32.3","2.32.4","2.32.5","2.32.6","2.33.0","2.33.1","2.33.2","2.33.3","2.33.3.pre.1","2.33.3.pre.2","2.34.0","2.34.1","2.34.2","2.34.3","2.34.4","2.34.4.pre.1","2.34.5","2.34.6","2.34.7.pre.1","2.35.0","2.36.0","2.36.1","2.36.2","2.36.3","2.37.0","2.37.1","2.37.2","2.38.0","2.39.0","2.4.0","2.4.1","2.40.0","2.41.0","2.42.0","2.42.1","2.42.2","2.43.0","2.44.0","2.45.0","2.46.0","2.5.0","2.5.1","2.5.2.pre.1","2.5.2.pre.2","2.5.2.pre.3","2.5.2.pre.4","2.5.2.pre.5","2.5.2.pre.6","2.5.2.pre.7","2.6.0","2.6.1.pre.1","2.6.1.pre.2","2.7.0","2.7.1.pre.1","2.8.0","2.9.0","2.9.1.pre1","2.9.1.pre2","2.9.1.pre3","2.9.1.pre4","2.9.1.pre5","2.9.1.pre6","2.9.1.pre7","2.9.2.pre1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-g8vp-2v5p-9qfh/GHSA-g8vp-2v5p-9qfh.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}]}