CVE-2023-34103

Published: Jun 5, 2023

Modified: Jan 8, 2025

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit `7891c01e` which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

Vendor	Product	Versions
avo-hq	avo	affected `<= 2.33.2` affected `>= 3.0.0.pre1, <= 3.0.0.pre12`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/avo-hq/avo/security/advisories/GHSA-5cr9-5jx3-2g39

x_refsource_CONFIRM

https://github.com/avo-hq/avo/commit/7891c01e1fba9ca5d7dbccc43d27f385e5d08563

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-34103

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References