[GHSA-g8vp-2v5p-9qfh] Cross-site scripting (XSS) in Action messages on Avo

[tamaloa]

Updates

• Affected products

Comments
The original repository advisory only mentioned one specific version (3.0.0.pre12) to be affected. As this advisory causes all older versions of avo to be flagged as vulnerable I propose the following changes which I verified manually (see linked repository).

I verified the vulnerability as described for version 3.0.0.pre12 (tamaloa/avo-CVE-2024-22411@ae0df1d).

I also verified that version 2.47.0 is NOT vulnerable (tamaloa/avo-CVE-2024-22411@bb1dc89).

Maybe the initial reporter (@stevegeek) could add insight if really only 3.0.0.pre12 was affected or more versions. Unfortunately on a quick look I could not find a tag / commit connected to this version and thus was unable to verify the actual code changes.

[github]

Hi there @stevegeek and @adrianthedev! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[shelbyc]

Hi @tamaloa, thanks for reaching out about GHSA-g8vp-2v5p-9qfh. This is definitely an interesting advisory, and I read your comments on avo-hq/avo#2382. We'll accept the contribution of a backported fix to the GitHub Advisory Database and update the CVE record to indicate that 2.47.0 is also patched.

I found the same fix from 2.47.0 at avo-hq/avo@51bb80b. I noticed there is no version 3.0.0 on GitHub or on rubygems.org, but this fix is tagged with 3.2.4 on GitHub. No release notes for 3.2.4 exist, nor does the version appear on https://rubygems.org/gems/avo/versions. rubygems.org marks 3.3.0, released on 16 January 2024, as the first version released after the fix was committed on 12 January 2024. The release notes for 3.3.0 indicate that avo-hq/avo#2357, which contains the fix for CVE-2024-22411 on the 3.x branch, was incorporated into this version of avo. I've also updated the advisory and CVE records to incorporate these findings.

@stevegeek @adrianthedev if the changes I've made are inaccurate, please let me know.

[advisory-database]

Hi @tamaloa! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[tamaloa]

@shelbyc wow that really is a thorough investigation 👍 . Thanks for your effort and patience!

[adrianthedev]

Yes @shelbyc. Indeed a thorough investigation. Thank you.

That is correct, 3.2.4 never existed. It was filled in by the reporter as that was the next patch release (from then current version 3.2.3).
But we never released the patch version and went straight to the next minor version 3.3.0.