VulnerableCode Package Details - pkg:gem/avo@3.31.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-u68f-bw9j-dyh8 Aliases: CVE-2026-42205 GHSA-qc5p-3mg5-9fh8	Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources ### Summary A critical Broken Access Control vulnerability was identified in the `ActionsController` of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of `Avo::BaseAction`) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. ### Details The vulnerability exists in the `action_class` method within `app/controllers/avo/actions_controller.rb`. #### Vulnerable Code ```ruby def action_class # It searches through ALL descendants of BaseAction without # resource validation. Avo::BaseAction.descendants.find do \|action\| action.to_s == params[:action_id] end end ``` The controller identifies the action class to execute solely based on the `params[:action_id]` by searching through all `BaseAction` descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., `/admin/resources/posts/actions`). Consequently, an attacker can invoke sensitive actions (e.g., `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint (e.g., `Post`), bypassing the intended resource-action mapping. ### Impact This flaw results in significant security risks: - Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions. - Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database. - Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to. ### CREDIT Illunight	3.31.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-u68f-bw9j-dyh8
Aliases:
CVE-2026-42205
GHSA-qc5p-3mg5-9fh8

Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources ### Summary A critical Broken Access Control vulnerability was identified in the `ActionsController` of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of `Avo::BaseAction`) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. ### Details The vulnerability exists in the `action_class` method within `app/controllers/avo/actions_controller.rb`. #### Vulnerable Code ```ruby def action_class # It searches through ALL descendants of BaseAction without # resource validation. Avo::BaseAction.descendants.find do |action| action.to_s == params[:action_id] end end ``` The controller identifies the action class to execute solely based on the `params[:action_id]` by searching through all `BaseAction` descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., `/admin/resources/posts/actions`). Consequently, an attacker can invoke sensitive actions (e.g., `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint (e.g., `Post`), bypassing the intended resource-action mapping. ### Impact This flaw results in significant security risks: - **Privilege Escalation:** An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions. - **Unauthorized Operations:** Actions designed for restricted resources can be triggered against any record ID in the database. - **Data Integrity Compromise:** Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to. ### CREDIT Illunight

3.31.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:17:22.603838+00:00	GitLab Importer	Affected by	VCID-u68f-bw9j-dyh8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/avo/GHSA-qc5p-3mg5-9fh8.yml	38.6.0
2026-06-06T08:16:19.919628+00:00	GitLab Importer	Affected by	VCID-u68f-bw9j-dyh8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/avo/CVE-2026-42205.yml	38.6.0

2026-06-06T08:17:22.603838+00:00

GitLab Importer

Affected by

VCID-u68f-bw9j-dyh8

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/avo/GHSA-qc5p-3mg5-9fh8.yml

38.6.0

2026-06-06T08:16:19.919628+00:00

GitLab Importer

Affected by

VCID-u68f-bw9j-dyh8

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/avo/CVE-2026-42205.yml

38.6.0

Next non-vulnerable version	3.31.2
Latest non-vulnerable version	3.31.2
Risk	4.0