Avo has a XSS vulnerability on `return_to` param
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting (XSS) vulnerability exists in the return_to query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. This issue has been patched in version 3.30.3.
References
- https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j x_refsource_CONFIRM
- https://github.com/avo-hq/avo/pull/4330 x_refsource_MISC
- https://github.com/avo-hq/avo/commit/4453d39ddc6309f3bc8ada73ef21e1971112de7d x_refsource_MISC
- https://github.com/avo-hq/avo/releases/tag/v3.30.3 x_refsource_MISC
Affected products
- ==< 3.30.3
Matching in nixpkgs
pkgs.havoc
Minimal terminal emulator for Wayland
pkgs.avocode
Bridge between designers and developers
pkgs.flavours
Easy to use base16 scheme manager/builder that integrates with any workflow
pkgs.avogadro2
Molecule editor and visualizer
pkgs.endeavour
Personal task manager for GNOME
pkgs.pavolctld
Minimal volume control/monitoring daemon for PulseAudio and PipeWire
pkgs.avogadrolibs
Molecule editor and visualizer
pkgs.python312Packages.bitvavo-aio
Python client for Bitvavo crypto exchange API
pkgs.python313Packages.bitvavo-aio
Python client for Bitvavo crypto exchange API
pkgs.python314Packages.bitvavo-aio
Python client for Bitvavo crypto exchange API
pkgs.gnomeExtensions.panel-favorites
Add launchers for Favorites to the panel
pkgs.gnomeExtensions.fullscreen-avoider
Moves the top panel to the secondary monitor if the primary is in fullscreen
pkgs.gnomeExtensions.show-favorite-apps
This extension adds a favorite applications menu to the top panel
pkgs.python312Packages.django-localflavor
Country-specific Django helpers
pkgs.python313Packages.django-localflavor
Country-specific Django helpers
pkgs.python314Packages.django-localflavor
Country-specific Django helpers
pkgs.gnomeExtensions.favorites-to-applications-grid
Keep your favorite applications in your applications grid.
Package maintainers
-
@megheaiulian Meghea Iulian <iulian.meghea@gmail.com>
-
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>
-
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
-
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
-
@moni-dz moni <lythe1107@gmail.com>
-
@Misterio77 Gabriel Fontes <eu@misterio.me>
-
@honnip Jung seungwoo <me@honnip.page>
-
@tjkeller-xyz Tim Keller <tjk@tjkeller.xyz>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>