Summary
I have noticed in my usage of Avo 3 pre12 that any HTML inside text that is passed to error or succeed in a Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion.
PoC
Disable CSP then add the following action to some Resource:
class Avo::Actions::MyAction < Avo::BaseAction
self.name = "An action"
def handle(**args)
error "<em>oh no</em><script>alert('boo')</script>"
end
end
Impact
What kind of vulnerability is it? Who is impacted?
Note
This is the first time I use this advisories system to report something, hope its ok!
Summary
I have noticed in my usage of Avo 3 pre12 that any HTML inside text that is passed to
errororsucceedin aAvo::BaseActionsubclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion.PoC
Disable CSP then add the following action to some Resource:
Impact
What kind of vulnerability is it? Who is impacted?
Note
This is the first time I use this advisories system to report something, hope its ok!