8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-qc5p-3mg5-9fh8

GHSA-qc5p-3mg5-9fh8: Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary

A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.

Details

The vulnerability exists in the action_class method within app/controllers/avo/actions_controller.rb.

Vulnerable Code

def action_class
  # It searches through ALL descendants of BaseAction without resource validation
  Avo::BaseAction.descendants.find do |action|
    action.to_s == params[:action_id]
  end
end

The controller identifies the action class to execute solely based on the params[:action_id] by searching through all BaseAction descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., /admin/resources/posts/actions).

Consequently, an attacker can invoke sensitive actions (e.g., Avo::Actions::ToggleAdmin) through an unrelated resource endpoint (e.g., Post), bypassing the intended resource-action mapping.

Impact

This flaw results in significant security risks:

Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions.
Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database.
Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.

Proof of Concept (PoC)

Steps to Reproduce:

Log in to the Avo admin panel with limited permissions.
Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g., Avo::Actions::ToggleAdmin).
Send a POST request to a resource endpoint where the target action is not registered:
- URL: POST /admin/resources/posts/actions
- Payload: action_id=Avo::Actions::ToggleAdmin&fields[avo_resource_ids]=1
The server executes the ToggleAdmin logic on User 1, even though the request was made through the posts resource context.

PoC Script Snippet:

# Simulating the unauthorized action execution
data = {
    'action_id': 'Avo::Actions::ToggleAdmin',
    'fields[avo_resource_ids]': '1', # Target Record ID
    'authenticity_token': csrf_token
}
response = session.post(f"{BASE_URL}/admin/resources/posts/actions", data=data)

Remediation

Restrict the action lookup to only those actions explicitly registered for the current resource context:

def action_class
  # Validate that the action is registered for the current resource
  @resource.get_actions.find do |action|
    action.to_s == params[:action_id]
  end
end

Discoverer

Illunight

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-qc5p-3mg5-9fh8

GHSA-qc5p-3mg5-9fh8:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
avo	rubygems	< 3.31.2	3.31.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic Broken Access Control issue within the Avo framework's ActionsController. The root cause is the insecure implementation of the action_class method, which is responsible for determining which action to execute. According to the vulnerability description, the original code searched through all available action classes (Avo::BaseAction.descendants) based on a user-provided action_id, without checking if that action was permitted for the target resource. This allows an attacker to call administrative or destructive actions on resources they should not have access to. The analysis of the patch confirms that the fix was applied directly to the action_class method. The patch commit 9755b719cdf96095e10e06f1ea545ca5893a56c5 refactors the lookup to be scoped to the resource by introducing and using @resource.find_action. Therefore, Avo::ActionsController.action_class is the precise location of the vulnerability.

Vulnerable functions

Avo::ActionsController.action_class

app/controllers/avo/actions_controller.rb

This method is responsible for resolving the action class to be executed based on the `action_id` parameter from the request. The vulnerable version of this method searched through all descendants of `Avo::BaseAction` globally, without verifying if the found action was actually registered for the specific resource being targeted. This flaw allowed an authenticated user to execute any action on any resource, leading to a broken access control vulnerability.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-qc5p-3mg5-9fh8: Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary

Details

Vulnerable Code

Impact

Proof of Concept (PoC)

Remediation

Discoverer

GHSA-qc5p-3mg5-9fh8:

8.8

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

GHSA-qc5p-3mg5-9fh8: Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary

Details

Vulnerable Code

Impact

Proof of Concept (PoC)

Remediation

Discoverer

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

8.8

8.8

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI