CVE-2024-22191: 
Ruby vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in the key_value field of Avo, a framework for creating admin panels for Ruby on Rails apps. The vulnerability affects Avo versions 3.2.3 and 2.46.0, and was disclosed on January 16, 2024. This security flaw is tracked as CVE-2024-22191 (NVD, GitHub Advisory).

The vulnerability stems from improper sanitization of input in the key_value field, where values are inserted directly into the HTML code without proper sanitization. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as MEDIUM (5.4) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while GitHub rates it as HIGH (7.3) with vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser. The potential impact includes theft of sensitive information that could be used to hijack victims' accounts or redirect them to malicious websites (GitHub Advisory).

The vulnerability has been fixed in Avo versions 3.2.4 and 2.47.0. The fix implements proper sanitization of the key_value field content using DOMPurify (Avo Patch). Users are strongly advised to upgrade to these patched versions (GitHub Advisory).