Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/avo@3.24.1
Typegem
Namespace
Nameavo
Version3.24.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.30.3
Latest_non_vulnerable_version3.31.2
Affected_by_vulnerabilities
0
url VCID-b9dd-q5n1-3fcs
vulnerability_id VCID-b9dd-q5n1-3fcs
summary 
Avo has a XSS vulnerability on `return_to` param
## Description

A reflected cross-site scripting (XSS) vulnerability exists in
the `return_to` query parameter used in the avo interface.

An attacker can craft a malicious URL that injects arbitrary
JavaScript, which is executed when he clicks a dynamically
generated navigation button.

## Impact

This vulnerability may allow execution of arbitrary JavaScript
in the context of the application.

Impact varies depending on deployment:
- In unauthenticated setups: exploitable via crafted links sent to users.
- In authenticated setups: limited to authenticated users and
  requires interaction.
references
0
reference_url https://github.com/avo-hq/avo
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/avo-hq/avo
1
reference_url https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d
2
reference_url https://github.com/avo-hq/avo/pull/4330
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/avo-hq/avo/pull/4330
3
reference_url https://github.com/avo-hq/avo/releases/tag/v3.30.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/avo-hq/avo/releases/tag/v3.30.3
4
reference_url https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2026-33209.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2026-33209.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33209
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33209
fixed_packages
0
url pkg:gem/avo@3.30.3
purl pkg:gem/avo@3.30.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/avo@3.30.3
aliases CVE-2026-33209, GHSA-762r-27w2-q22j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b9dd-q5n1-3fcs
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/avo@3.24.1