Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit `7891c01e` which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-05T22:13:21.458Z

Updated: 2024-08-02T16:01:54.127Z

Reserved: 2023-05-25T21:56:51.246Z

Link: CVE-2023-34103

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-06-05T23:15:12.627

Modified: 2024-11-21T08:06:33.153

Link: CVE-2023-34103

cve-icon Redhat

No data.