Описание
Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit ec117882d which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.
Ссылки
- Patch
- ExploitVendor Advisory
- Patch
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.33.2 (включая)
Одно из
cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*
cpe:2.3:a:avohq:avo:3.0.0:pre12:*:*:*:ruby:*:*
EPSS
Процентиль: 91%
0.0684
Низкий
8.3 High
CVSS3
8.8 High
CVSS3
Дефекты
CWE-20
CWE-470
Связанные уязвимости
CVSS3: 8.3
github
больше 2 лет назад
avo possible unsafe reflection / partial DoS vulnerability
EPSS
Процентиль: 91%
0.0684
Низкий
8.3 High
CVSS3
8.8 High
CVSS3
Дефекты
CWE-20
CWE-470