Cyber Resilience

CVE-2023-34102

HighPublic PoC

Published: 05 June 2023

Published
05 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0224 84.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-34102 is a high-severity Improper Input Validation (CWE-20) vulnerability in Avohq Avo. Its CVSS base score is 8.3 (High).

Operationally, ranked in the top 15.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Avo is an open source Ruby on Rails framework for building admin panels. The vulnerability exists in its polymorphic field type, which accepts and stores class names supplied through user input during record updates without performing backend validation. This flaw, tracked under CWE-20 and CWE-470, received a CVSS 3.1 score of 8.3 and was addressed in commit ec117882ddb1b519481bdd046dc3cfa4474e6e17.

An authenticated attacker with low privileges can supply a manipulated class reference over the network. When an administrator later views the altered record, the application may execute arbitrary code, exhibit unexpected behavior, or crash.

The project security advisory and associated commit state that the issue is resolved in the referenced patch and recommend restricting access from untrusted users until a subsequent release is deployed. The associated EPSS score rose from a low baseline to a peak of 0.0887 on 2026-02-28 before receding to its current value of 0.0224.

EU & UK References

Vulnerability details

Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can…

more

lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit `ec117882d` which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

avohq
avo
3.0.0 · ≤ 2.33.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-470

Externally controlled class or code selection can be resolved and invoked inside the chamber, surfacing unsafe reflection without system impact.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References