logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-22191 avo

Package

Manager: gem
Name: avo
Vulnerable Version: >=3.0.0.beta1 <3.2.4 || >=0 <2.47.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0096 pctl0.75602

Details

avo vulnerable to stored cross-site scripting (XSS) in key_value field ### Summary A **stored cross-site scripting (XSS)** vulnerability was found in the **key_value** field of Avo v3.2.3. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. ### Details The value of the key_value is inserted directly into the HTML code. In the current version of Avo (possibly also older versions), the value is not properly sanitized before it is inserted into the HTML code. This vulnerability can be exploited by an attacker to inject malicious JavaScript code into the key_value field. When a victim views the page containing the malicious code, the code will be executed in their browser. In [avo/fields/common/key_value_component.html.erb]( https://github.com/avo-hq/avo/blob/main/app/components/avo/fields/common/key_value_component.html.erb#L38C21-L38C33) the value is taken in lines **38** and **49** and seems to be interpreted directly as html in lines **44** and **55**. ### PoC ![POC](https://user-images.githubusercontent.com/26570201/295596307-5d4f563e-99c0-4981-a82e-fc42cfd902c5.gif) To reproduce the vulnerability, follow these steps: 1. Edit an entry with a key_value field. 2. Enter the following payload into the value field: ```POC\"> <script>alert( 'XSS in key_value' );</script> <strong>Outside-tag</strong``` 3. Save the entry. 4. Go to the index page and click on the eye icon next to the entry. The malicious JavaScript code will be executed and an alert box will be displayed. _On the show and edit page the alert seems not to pop up, but the strong tag breaks out of the expected html tag_ ### Impact This vulnerability could be used to steal sensitive information from victims that could be used to hijack victims' accounts or redirect them to malicious websites.

Metadata

Created: 2024-01-16T15:24:00Z
Modified: 2024-06-25T16:56:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-ghjv-mh6x-7q6h/GHSA-ghjv-mh6x-7q6h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-ghjv-mh6x-7q6h
Finding: F425
Auto approve: 1