CVE-2023-34102

Published: Jun 5, 2023

Modified: Jan 8, 2025

PUBLISHED

CVSS v3.1

8.3

HIGH

Description

Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit `ec117882d` which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.

Vendor	Product	Versions
avo-hq	avo	affected `<= 2.33.2` affected `>= 3.0.0.pre1, <= 3.0.0.pre12`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

References

https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx

x_refsource_CONFIRM

https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-34102

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References