GHSA-5cr9-5jx3-2g39

Suggest an improvement
Source
https://github.com/advisories/GHSA-5cr9-5jx3-2g39
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-5cr9-5jx3-2g39/GHSA-5cr9-5jx3-2g39.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5cr9-5jx3-2g39
Aliases
Published
2023-06-06T14:13:08Z
Modified
2024-06-25T17:20:12.084435Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
avo vulnerable to Stored XSS (Cross Site Scripting) in html content based fields
Details

Summary

Some avo fields are vulnerable to XSS when rendering html based content.

Details

During the analysis of the web application, a rendered field was discovered that did not filter JS / HTML tags in a safe way and can be abused to execute js code on a client side. The trix field uses the trix editor in the backend to edit rich text data which basically operates with html tags. To display the stored data in a rendered view, the HasHTMLAttributes concern is used. This can be exploited by an attacker to store javascript code in any trix field by intercepting the request and modifying the post data, as the trix editor does not allow adding custom html or js tags on the frontend.

PoC

image Adding javascript in the post request which is used when editing a "post" resource (body is declared as a trix field)

image Successful execution of JS code on live demo environment

Impact

Unlike non-persistent XSS, persistent XSS does not require a social engineering phase. Victims of this attack do not need to be tricked into clicking a link or something like that. However, by exploiting such a vulnerability on this particular target, attackers may be able to gain access to accounts that require special protection, such as administrators of the web service, which is what Avo is primarily intended to be used for.

Recommendation

The content of a field that contains html code should be sanitized using the according rails helper which uses a whitelist of known-safe tags and attributes. Also this security consideration should be applied to the “as_html” attribute as well because it may contain user controlled input as well.

https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

Database specific
{
    "nvd_published_at": "2023-06-05T23:15:12Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T14:13:08Z"
}
References

Affected packages

RubyGems / avo

Package

Name
avo
Purl
pkg:gem/avo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.33.3

Affected versions

0.*

0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3.1
0.3.2
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.5.0.beta1
0.5.0.beta2
0.5.0.beta3
0.5.0.beta4
0.5.0.beta5
0.5.0.beta6
0.5.0.beta7
0.5.0.beta8
0.5.0.beta9
0.5.0.beta10
0.5.0.beta11
0.5.0.beta12
0.5.0.beta13
0.5.0.beta14
0.5.0.beta15

1.*

1.0.0
1.0.1
1.0.2
1.0.4
1.0.5
1.1.0.pre.1
1.1.0
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6.pre.1
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11.pre.1
1.2.11.pre.2
1.2.11.pre.3
1.2.11.pre.4
1.3.0.pre.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5.pre.1
1.3.5
1.4.0.pre.1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4.pre.1
1.4.4
1.4.5.pre.1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0
1.6.1
1.6.2.pre.1
1.6.3.pre.1
1.6.3.pre.2
1.6.3.pre.3
1.6.4.pre.1
1.7.0
1.7.1
1.7.2
1.7.3.pre.1
1.7.3
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.9.0
1.9.1
1.10.0
1.10.1
1.10.2
1.10.3
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.12.0
1.12.1
1.12.2
1.12.3
1.12.4
1.13.0
1.13.1
1.13.2
1.13.3
1.14.0
1.15.0.pre.1
1.15.0
1.16.0
1.16.1
1.16.2
1.16.3
1.16.4
1.17.0
1.17.1
1.18.0.pre.1
1.18.0.pre.2
1.18.0.pre.3
1.18.0
1.18.1
1.18.2.pre.0
1.18.2
1.19.0
1.19.1.pre.1
1.19.1.pre.2
1.19.1.pre.3
1.19.1.pre.4
1.19.1.pre.5
1.19.1.pre.6
1.19.1.pre.7
1.19.1.pre.8
1.19.1.pre.9
1.19.1.pre.10
1.19.1.pre.11
1.20.1
1.20.2.pre.1
1.20.2.pre.2
1.21.0.pre.1
1.21.0
1.21.1.pre.1
1.22.0.pre.1
1.22.0
1.22.1.pre.1
1.22.1.pre.2
1.22.1
1.22.2
1.22.3
1.22.4
1.23.0
1.24.0
1.24.1
1.24.2
1.25.0
1.25.1
1.25.2

2.*

2.0.0
2.1.0
2.1.1
2.1.2.pre1
2.1.2.pre2
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1.pre.1
2.3.1.pre.2
2.3.1.pre.3
2.3.1.pre.4
2.3.1.pre.5
2.3.1.pre.6
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2.pre.1
2.5.2.pre.2
2.5.2.pre.3
2.5.2.pre.4
2.5.2.pre.5
2.5.2.pre.6
2.5.2.pre.7
2.6.0
2.6.1.pre.1
2.6.1.pre.2
2.7.0
2.7.1.pre.1
2.8.0
2.9.0
2.9.1.pre1
2.9.1.pre2
2.9.1.pre3
2.9.1.pre4
2.9.1.pre5
2.9.1.pre6
2.9.1.pre7
2.9.2.pre1
2.10.0
2.10.2
2.10.3.pre.1
2.11.0
2.11.1.pre.1
2.11.1.pre.2
2.11.1.pre.3
2.11.1
2.11.2.pre.1
2.11.2.pre.2
2.11.2.pre.3
2.11.3.pre.1
2.11.3.pre.2
2.11.3.pre.3
2.12.0
2.12.1.pre.1
2.13.0
2.13.1
2.13.2.pre.1
2.13.2.pre.2
2.13.3.pre.1
2.13.3.pre.2
2.13.3.pre.3
2.13.3.pre.4
2.13.4.pre.1
2.13.5.pre.1
2.13.5.pre.2
2.13.6.pre.1
2.13.6.pre.2
2.14.0
2.14.1.pre.1
2.14.1
2.14.2.pre.1
2.14.2
2.14.3.pre.1.branding
2.14.3.pre.2.tailwindcss
2.14.3.pre.3.jsbundling
2.14.3.pre.4.tosqlfix
2.14.3.pre.5.nosprockets
2.14.3.pre.6.nosprockets
2.14.3.pre.7.polytranslations1
2.15.0
2.15.1
2.15.2.pre.1
2.15.2
2.15.3.pre.1.data.attrs.to.sidebar.items
2.15.3
2.16.0
2.16.1.pre.1.nativefields
2.17.0
2.17.1.pre.1.zeitwerk.eager.load.dir
2.17.1.pre.2.customauthorizationclients
2.17.1.pre.3
2.17.1.pre.4.issue.1342
2.17.1.pre.5.stackedlayout
2.18.0
2.18.1.pre.1.eagerloaddirs
2.18.1
2.19.0
2.20.0
2.21.0
2.21.1.pre.issue1444
2.21.1.pre.issue1450
2.21.1.pre.pr1476
2.21.1.pre.pr1484
2.21.2.pre.pr1486
2.21.3.pre.pr1489
2.22.0
2.23.0
2.23.1
2.23.2
2.23.3.pre.1.pr1529
2.24.0
2.24.1
2.25.0
2.25.1.pre.1.pr1579
2.26.0
2.26.1.pr1584.pre.1
2.26.2.pre.pr1579
2.26.3.pre.pr1601
2.27.0
2.27.1
2.27.2.pre.pr1606
2.28.0
2.28.1.pre.pr1642
2.28.2.pre.pr1642
2.28.3.pre.pr1646
2.29.0
2.29.1.pre.pr1652
2.29.1
2.30.0
2.30.1.pre1.pr1683
2.30.1.pre2.pr1683
2.30.1.pre3.pr1683
2.30.1.pre4.pr1683
2.30.1
2.30.2
2.31.0
2.32.0
2.32.1
2.32.2
2.32.3
2.32.4
2.32.5
2.32.6
2.33.0
2.33.1
2.33.2
2.33.3.pre.1
2.33.3.pre.2

Database specific

{
    "last_known_affected_version_range": "<= 2.33.2"
}

RubyGems / avo

Package

Name
avo
Purl
pkg:gem/avo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0.pre1
Last affected
3.0.0.pre12

Affected versions

3.*

3.0.0.pre1
3.0.0.pre2
3.0.0.pre3
3.0.0.pre4
3.0.0.pre5
3.0.0.pre6
3.0.0.pre7
3.0.0.pre8
3.0.0.pre9
3.0.0.pre10
3.0.0.pre11
3.0.0.pre12