Moderate severityNVD Advisory· Published Jan 16, 2024· Updated Jun 2, 2025
Cross site scripting in Action messages on Avo
CVE-2024-22411
Description
Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.3.0 and 2.47.0 releases of Avo. Users are advised to upgrade.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
avoRubyGems | >= 3.0.0.beta1, < 3.3.0 | 3.3.0 |
avoRubyGems | < 2.47.0 | 2.47.0 |
Affected products
1Patches
2fc92a05a8556security: v2 CVE-2024-22191 (#2382)
3 files changed · +8 −1
app/javascript/js/controllers/fields/key_value_controller.js+2 −1 modified@@ -1,4 +1,5 @@ /* eslint-disable max-len */ +import * as DOMPurify from 'dompurify' import { Controller } from '@hotwired/stimulus' import { castBoolean } from '../../helpers/cast_boolean' @@ -80,7 +81,7 @@ export default class extends Controller { let index = 0 this.fieldValue.forEach((row) => { const [key, value] = row - result += this.interpolatedRow(key, value, index) + result += this.interpolatedRow(DOMPurify.sanitize(key), DOMPurify.sanitize(value), index) index++ }) this.rowsTarget.innerHTML = result
package.json+1 −0 modified@@ -36,6 +36,7 @@ "codemirror": "5.59.1", "core-js": "^3.21.0", "css-loader": "^6.7.0", + "dompurify": "^3.0.8", "easymde": "^2.18.0", "el-transition": "^0.0.7", "esbuild": "^0.14.25",
yarn.lock+5 −0 modified@@ -1298,6 +1298,11 @@ doctrine@^3.0.0: dependencies: esutils "^2.0.2" +dompurify@^3.0.8: + version "3.0.8" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.8.tgz#e0021ab1b09184bc8af7e35c7dd9063f43a8a437" + integrity sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ== + easymde@^2.18.0: version "2.18.0" resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.18.0.tgz#ff1397d07329b1a7b9187d2d0c20766fa16b3b1b"
51bb80b181cdsecurity: sanitize key_value field content (#2357)
3 files changed · +8 −1
app/javascript/js/controllers/fields/key_value_controller.js+2 −1 modified@@ -1,4 +1,5 @@ /* eslint-disable max-len */ +import * as DOMPurify from 'dompurify' import { Controller } from '@hotwired/stimulus' import { castBoolean } from '../../helpers/cast_boolean' @@ -80,7 +81,7 @@ export default class extends Controller { let index = 0 this.fieldValue.forEach((row) => { const [key, value] = row - result += this.interpolatedRow(key, value, index) + result += this.interpolatedRow(DOMPurify.sanitize(key), DOMPurify.sanitize(value), index) index++ }) this.rowsTarget.innerHTML = result
package.json+1 −0 modified@@ -34,6 +34,7 @@ "codemirror": "5.59.1", "core-js": "^3.35.0", "css-loader": "^6.9.0", + "dompurify": "^3.0.8", "easymde": "^2.18.0", "el-transition": "^0.0.7", "esbuild": "^0.14.54",
yarn.lock+5 −0 modified@@ -2090,6 +2090,11 @@ doctrine@^3.0.0: dependencies: esutils "^2.0.2" +dompurify@^3.0.8: + version "3.0.8" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.8.tgz#e0021ab1b09184bc8af7e35c7dd9063f43a8a437" + integrity sha512-b7uwreMYL2eZhrSCRC4ahLTeZcPZxSmYfmcQGXGkXiZSNW1X85v+SDM5KsWcpivIiUBH47Ji7NtyUdpLeF5JZQ== + easymde@^2.18.0: version "2.18.0" resolved "https://registry.yarnpkg.com/easymde/-/easymde-2.18.0.tgz#ff1397d07329b1a7b9187d2d0c20766fa16b3b1b"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-g8vp-2v5p-9qfhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22411ghsaADVISORY
- github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347ghsax_refsource_MISCWEB
- github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258ghsax_refsource_MISCWEB
- github.com/avo-hq/avo/releases/tag/v2.47.0ghsax_refsource_MISCWEB
- github.com/avo-hq/avo/releases/tag/v3.3.0ghsax_refsource_MISCWEB
- github.com/avo-hq/avo/security/advisories/GHSA-g8vp-2v5p-9qfhghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2024-22411.ymlghsaWEB
News mentions
0No linked articles in our index yet.