CVE-2024-22191 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-22191?

CVE-2024-22191 has a CVSS score of 7.3 (HIGH). A stored cross-site scripting (XSS) vulnerability in Avo's key_value field allows attackers to inject malicious JavaScript that executes in victims' browsers. This affects Ruby on Rails applications using Avo admin panels versions 3.2.3 and 2.46.0 (and possibly older versions). Attackers could steal sensitive information, hijack accounts, or redirect users to malicious sites.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Avo's key_value field allows attackers to inject malicious JavaScript that executes in victims' browsers. This affects Ruby on Rails applications using Avo admin panels versions 3.2.3 and 2.46.0 (and possibly older versions). Attackers could steal sensitive information, hijack accounts, or redirect users to malicious sites.

💻 Affected Systems

Products:

Avo (Ruby on Rails admin panel framework)

Versions: v3.2.3 and v2.46.0 (potentially older versions)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Avo's key_value field. The vulnerability exists in the HTML rendering without proper sanitization.

📦 What is this software?

Avo by Avohq

View all CVEs affecting Avo →

Avo by Avohq

View all CVEs affecting Avo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, sensitive data exfiltration, and redirection to phishing sites leading to credential theft and lateral movement.

🟠

Likely Case

Session hijacking, theft of admin panel credentials, and unauthorized access to administrative functions.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to create or modify key_value field content. The vulnerability is straightforward to exploit once an attacker gains appropriate access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Avo 3.2.4 and 2.47.0

Vendor Advisory: https://github.com/avo-hq/avo/security/advisories/GHSA-ghjv-mh6x-7q6h

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'avo' gem version '>=3.2.4' or '>=2.47.0'. 2. Run 'bundle update avo'. 3. Restart the Rails application server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization for key_value field inputs before storage.

Content Security Policy (CSP)

all

Implement strict CSP headers to mitigate XSS impact by restricting script execution sources.

🧯 If You Can't Patch

Disable or restrict access to the key_value field functionality in Avo admin panels.
Implement web application firewall (WAF) rules to detect and block XSS payloads in requests.

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock for avo gem version 3.2.3 or 2.46.0 (or potentially older). Review if key_value field is used without input sanitization.

Check Version:

grep -A 1 'avo' Gemfile.lock

Verify Fix Applied:

Confirm avo gem version is 3.2.4 or higher (for v3) or 2.47.0 or higher (for v2) in Gemfile.lock after update.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in POST/PUT requests to key_value endpoints
Multiple failed login attempts from unexpected locations following key_value updates

Network Indicators:

Outbound connections to unknown domains following admin panel access
Unexpected redirects from admin panel pages

SIEM Query:

source="rails_logs" AND (message:"key_value" AND (message:"script" OR message:"javascript" OR message:"onerror"))

📊 Metadata

CVE ID: CVE-2024-22191

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: January 16, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347 Patch
https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258 Patch
https://github.com/avo-hq/avo/security/advisories/GHSA-ghjv-mh6x-7q6h Exploit,Vendor Advisory
https://github.com/avo-hq/avo/commit/51bb80b181cd8e31744bdc4e7f9b501c81172347 Patch
https://github.com/avo-hq/avo/commit/fc92a05a8556b1787c8694643286a1afa6a71258 Patch
https://github.com/avo-hq/avo/security/advisories/GHSA-ghjv-mh6x-7q6h Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22191, you might also want to check these: