CVE-2024-22191: avo vulnerable to stored cross-site scripting (XSS) in key_value field
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.75496%
CWE
Published
1/16/2024
Updated
1/18/2024
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| avo | rubygems | >= 3.0.0.beta1, <= 3.2.3 | 3.2.4 |
| avo | rubygems | <= 2.46.0 | 2.47.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped HTML insertion in the key_value field rendering. The commit diff shows the fix added DOMPurify sanitization to the key/value parameters passed to interpolatedRow. Before the patch, the function directly used raw user input to build HTML via string interpolation (lines 38-49 in key_value_component.html.erb references), which were then injected into DOM via innerHTML in the controller. The JavaScript controller's row generation was the injection point rather than the ERB templates themselves, as the XSS execution context is client-side DOM manipulation.