CVE-2023-34103

Public Exploit
Stored XSS (Cross Site Scripting) in html content based fields of avo

Description

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit `7891c01e` which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

Category

7.3
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.52%
Vendor Advisory github.com
Affected: avo-hq avo
Published at:
Updated at:

References

Link Tags
https://github.com/avo-hq/avo/security/advisories/GHSA-5cr9-5jx3-2g39 exploit vendor advisory
https://github.com/avo-hq/avo/commit/7891c01e1fba9ca5d7dbccc43d27f385e5d08563 patch

Frequently Asked Questions

What is the severity of CVE-2023-34103?
CVE-2023-34103 has been scored as a high severity vulnerability.
How to fix CVE-2023-34103?
To fix CVE-2023-34103, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-34103 being actively exploited in the wild?
It is possible that CVE-2023-34103 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-34103?
CVE-2023-34103 affects avo-hq avo.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.