Search for packages
| purl | pkg:gem/avo@3.8.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-b9dd-q5n1-3fcs
Aliases: CVE-2026-33209 GHSA-762r-27w2-q22j |
Avo has a XSS vulnerability on `return_to` param ## Description A reflected cross-site scripting (XSS) vulnerability exists in the `return_to` query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. ## Impact This vulnerability may allow execution of arbitrary JavaScript in the context of the application. Impact varies depending on deployment: - In unauthenticated setups: exploitable via crafted links sent to users. - In authenticated setups: limited to authenticated users and requires interaction. |
Affected by 1 other vulnerability. |
|
VCID-u68f-bw9j-dyh8
Aliases: CVE-2026-42205 GHSA-qc5p-3mg5-9fh8 |
Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources ### Summary A critical Broken Access Control vulnerability was identified in the `ActionsController` of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of `Avo::BaseAction`) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. ### Details The vulnerability exists in the `action_class` method within `app/controllers/avo/actions_controller.rb`. #### Vulnerable Code ```ruby def action_class # It searches through ALL descendants of BaseAction without # resource validation. Avo::BaseAction.descendants.find do |action| action.to_s == params[:action_id] end end ``` The controller identifies the action class to execute solely based on the `params[:action_id]` by searching through all `BaseAction` descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., `/admin/resources/posts/actions`). Consequently, an attacker can invoke sensitive actions (e.g., `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint (e.g., `Post`), bypassing the intended resource-action mapping. ### Impact This flaw results in significant security risks: - **Privilege Escalation:** An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions. - **Unauthorized Operations:** Actions designed for restricted resources can be triggered against any record ID in the database. - **Data Integrity Compromise:** Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to. ### CREDIT Illunight |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T08:17:22.127834+00:00 | GitLab Importer | Affected by | VCID-u68f-bw9j-dyh8 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/avo/GHSA-qc5p-3mg5-9fh8.yml | 38.6.0 |
| 2026-06-06T08:16:19.351333+00:00 | GitLab Importer | Affected by | VCID-u68f-bw9j-dyh8 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/avo/CVE-2026-42205.yml | 38.6.0 |
| 2026-06-06T07:30:33.551051+00:00 | GitLab Importer | Affected by | VCID-b9dd-q5n1-3fcs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/avo/CVE-2026-33209.yml | 38.6.0 |
| 2026-06-04T18:16:09.831736+00:00 | Ruby Importer | Affected by | VCID-b9dd-q5n1-3fcs | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2026-33209.yml | 38.6.0 |