Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit `ec117882d` which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-05T22:16:43.861Z

Updated: 2024-08-02T16:01:54.061Z

Reserved: 2023-05-25T21:56:51.245Z

Link: CVE-2023-34102

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-06-05T23:15:12.220

Modified: 2024-11-21T08:06:33.013

Link: CVE-2023-34102

cve-icon Redhat

No data.