QwikSec

Security Database

CVE

CWE

Training

CVE-2024-22411

Published: Jan 16, 2024

Modified: Jun 2, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

Vendor	Product	Versions
avo-hq	avo	affected `>= 3.0.0.beta1, < 3.3.0` affected `< 2.47.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh

x_refsource_CONFIRM

https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347

x_refsource_MISC

https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258

x_refsource_MISC

https://github.com/avo-hq/avo/releases/tag/v2.47.0

x_refsource_MISC

https://github.com/avo-hq/avo/releases/tag/v3.3.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.