CVE-2024-22191

CVE-2024-22191 is a high-severity vulnerability in Avohq Avo with a CVSS 3.x base score of 7.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting (XSS) vulnerability was found in the key_value field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The value of the key_value is inserted directly into the HTML code. In the current version of Avo (possibly also older versions), the value is not properly sanitized before it is inserted into the HTML code. This vulnerability could be used to steal sensitive information from victims that could be used to hijack victims' accounts or redirect them to malicious websites. Avo 3.2.4 and 2.47.0 include a fix for this issue. Users are advised to upgrade.

Frequently asked questions

What is CVE-2024-22191?
Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting (XSS) vulnerability was found in the key_value field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The value of the key_value is inserted directly into the HTML code. In the current version of Avo (possibly also older versions), the value is not properly sanitized before it is inserted into the HTML code. This vulnerability could be used to steal sensitive information from victims that could be used to hijack victims' accounts or redirect them to malicious websites. Avo 3.2.4 and 2.47.0 include a fix for this issue. Users are advised to upgrade.
How severe is CVE-2024-22191?
CVE-2024-22191 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2024-22191 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (50th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-22191?
CVE-2024-22191 affects Avohq Avo. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-22191?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2024-22191 have an EU (EUVD) identifier?
Yes. CVE-2024-22191 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0356.
When was CVE-2024-22191 published?
CVE-2024-22191 was published on 2024-01-16 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Avohq Avo

All CVEs affecting Avohq Avo →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →