CVE-2024-22411
- Source
- https://cve.org/CVERecord?id=CVE-2024-22411
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22411.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-22411
- Aliases
- Published
- 2024-01-16T21:57:44.824Z
- Modified
- 2026-03-14T12:27:16.173995Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- Cross site scripting in Action messages on Avo
- Details
-
Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to
errororsucceedin anAvo::BaseActionsubclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade. - Database specific
{ "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22411.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22411.json
- https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347
- https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258
- https://github.com/avo-hq/avo/releases/tag/v2.47.0
- https://github.com/avo-hq/avo/releases/tag/v3.3.0
- https://github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfh
- https://nvd.nist.gov/vuln/detail/CVE-2024-22411