CVE

CVE-2023-34103

Stored XSS (Cross Site Scripting) in html content based fields of avo

CVE

CVE-2023-34103

Stored XSS (Cross Site Scripting) in html content based fields of avo

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit 7891c01e which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.3

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34103.json, https://github.com/avo-hq/avo/security/advisories/GHSA-5cr9-5jx3-2g39, https://nvd.nist.gov/vuln/detail/CVE-2023-34103, https://github.com/avo-hq/avo/commit/7891c01e1fba9ca5d7dbccc43d27f385e5d08563

Severity

7.3

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.3

EPSS Probability

0.00651%

EPSS Percentile

0.70976%

Introduced Version

Fix Available

7891c01e1fba9ca5d7dbccc43d27f385e5d08563

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2023-34103

CVE-2023-34103

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

7.3

Basic Information

Fix Critical Vulnerabilities Instantly