CVE-2024-22411 — MEDIUM (6.5)

Q: How severe is CVE-2024-22411?

CVE-2024-22411 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-22411?

Check the references section above for vendor advisories and patch information. Affected products include: Avohq Avo.

Vulnerability Description

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Avohq	Avo	< 2.47.0

Related Weaknesses (CWE)

CWE-79

References

https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347Patch
https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258Patch
https://github.com/avo-hq/avo/releases/tag/v2.47.0Release Notes
https://github.com/avo-hq/avo/releases/tag/v3.3.0Release Notes
https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfhExploitVendor Advisory
https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347Patch
https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258Patch
https://github.com/avo-hq/avo/releases/tag/v2.47.0Release Notes
https://github.com/avo-hq/avo/releases/tag/v3.3.0Release Notes
https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfhExploitVendor Advisory

FAQ

What is CVE-2024-22411?

CVE-2024-22411 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly...

How severe is CVE-2024-22411?

CVE-2024-22411 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-22411?

Check the references section above for vendor advisories and patch information. Affected products include: Avohq Avo.