Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34103: Merge pull request from GHSA-5cr9-5jx3-2g39 · avo-hq/avo@7891c01

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit 7891c01e which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

CVE
#xss#vulnerability#git#ruby
    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

Explore

*   All features
*   Documentation
*   GitHub Skills
*   Blog
  • For

    • Enterprise
    • Teams
    • Startups
    • Education

    By Solution

    • CI/CD & Automation
    • DevOps
    • DevSecOps

    Case Studies

    • Customer Stories
    • Resources
    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

Repositories

*   Topics
*   Trending
*   Collections
  • Pricing

Related news

GHSA-5cr9-5jx3-2g39: avo vulnerable to Stored XSS (Cross Site Scripting) in html content based fields

### Summary Some avo fields are vulnerable to XSS when rendering html based content. ### Details During the analysis of the web application, a rendered field was discovered that did not filter JS / HTML tags in a safe way and can be abused to execute js code on a client side. The trix field uses the trix editor in the backend to edit rich text data which basically operates with html tags. To display the stored data in a rendered view, the HasHTMLAttributes concern is used. This can be exploited by an attacker to store javascript code in any trix field by intercepting the request and modifying the post data, as the trix editor does not allow adding custom html or js tags on the frontend. ### PoC ![image](https://user-images.githubusercontent.com/26464774/243434868-47857054-9b20-437f-842f-0750d53c9b0e.png) _Adding javascript in the post request which is used when editing a "post" resource (body is declared as a trix field)_ ![image](https://user-images.githubusercontent.com/26464774/2...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907