Package Instance

Avo has a XSS vulnerability on `return_to` param
## Description

A reflected cross-site scripting (XSS) vulnerability exists in
the `return_to` query parameter used in the avo interface.

An attacker can craft a malicious URL that injects arbitrary
JavaScript, which is executed when he clicks a dynamically
generated navigation button.

## Impact

This vulnerability may allow execution of arbitrary JavaScript
in the context of the application.

Impact varies depending on deployment:
- In unauthenticated setups: exploitable via crafted links sent to users.
- In authenticated setups: limited to authenticated users and
  requires interaction.

Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources
### Summary

A critical Broken Access Control vulnerability was identified in the
`ActionsController` of the Avo framework (v3.x). Due to insecure
action lookup logic, an authenticated user can execute any Action
class (descendants of `Avo::BaseAction`) on any resource, even if
the action is not registered for that specific resource. This leads
to Privilege Escalation and unauthorized data manipulation across
the entire application.

### Details

The vulnerability exists in the `action_class` method within
`app/controllers/avo/actions_controller.rb`.

#### Vulnerable Code

```ruby
def action_class
  # It searches through ALL descendants of BaseAction without
  #    resource validation.
  Avo::BaseAction.descendants.find do |action|
    action.to_s == params[:action_id]
  end
end
```

The controller identifies the action class to execute solely based
on the `params[:action_id]` by searching through all `BaseAction`
descendants. It fails to verify whether the requested action is
actually permitted or registered for the resource context specified
in the request URL (e.g., `/admin/resources/posts/actions`).

Consequently, an attacker can invoke sensitive actions (e.g.,
`Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint
(e.g., `Post`), bypassing the intended resource-action mapping.

### Impact

This flaw results in significant security risks:

- **Privilege Escalation:** An authenticated user with low privileges
  can execute administrative actions (like toggling admin roles) to
  escalate their own or others' permissions.
- **Unauthorized Operations:** Actions designed for restricted
  resources can be triggered against any record ID in the database.
- **Data Integrity Compromise:** Attackers can perform unauthorized
  destructive operations (e.g., Delete, Archive, or Update) on records
  they should not have access to.

### CREDIT

Illunight