Avo framework, Broken Access Control, CVE-pending (critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in the `action_class` method inside app/controllers/avo/actions_controller.rb.
The controller searches for an action class by iterating over all descendants of `Avo::BaseAction` using Avo::BaseAction.descendants.find { |action| action.to_s == params[:action_id] }.
It accepts `params[:action_id]` directly from the request without any validation against the current resource context.
An authenticated user can send a POST request to any resource endpoint (e.g., /admin/resources/posts/actions) with an `action_id` pointing to a privileged action (e.g., Avo::Actions::ToggleAdmin).
Because the lookup does not check if that action is actually registered for the targeted resource (e.g., `Post` resource), the framework blindly instantiates and executes the requested action.
The vulnerable code fails to verify that the action belongs to the resource’s allowed action list.
Thus, an attacker can trigger sensitive operations on arbitrary records (e.g., User ID 1) by supplying `fields

` with the target record ID.
The action executes with the permissions of the authenticated user, but if the action contains privileged logic (like toggling admin flags), it leads to privilege escalation.
No authorization hook checks whether the user is allowed to run that specific action on that resource type.

<h2 style="color: blue;">The flaw bypasses the intended resource-action mapping entirely.</h2>

Consequently, any action class defined in the application becomes remotely invokable on any record.
This effectively breaks the access control model of the Avo admin panel.
The issue affects all Avo v3.x versions before the patch.
An attacker only needs low-privileged authenticated access to the admin panel.
The PoC demonstrates invoking `ToggleAdmin` via the `posts` resource endpoint, modifying a user’s admin status.
Remediation replaces the global descendant search with <code>@resource.get_actions.find</code>, restricting execution to allowed actions only.

<h2 style="color: blue;">dailycve form:</h2>

Platform: Avo framework
Version: v3.x
Vulnerability: Broken Access Control
Severity: Critical
date: 2024-04-24

<h2 style="color: blue;">Prediction: 2024-05-15</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

[bash]
Find all descendants of BaseAction (vulnerable scope)
avo_console> Avo::BaseAction.descendants.map(&:to_s)
Simulate malicious POST with curl
curl -X POST https://target.com/admin/resources/posts/actions \
-d "action_id=Avo::Actions::ToggleAdmin&fields[bash]=1" \
-b "session_cookie=..."
Grep for vulnerable pattern in source code
grep -r "BaseAction.descendants.find" app/controllers/avo/

how Exploit:

1. Login as low-privilege user

2. Craft POST to /admin/resources/posts/actions

3. Set action_id=Avo::Actions::ToggleAdmin

4. Set fields[bash]=

5. Send request – action executes unauthorized

Protection from this CVE:

Upgrade to patched version >v3.x

Or manually apply fix: replace descendant lookup with `@resource.get_actions.find` in `actions_controller.rb`

Implement resource-specific action whitelist validation

Add before_action filter to verify action registration

Impact:

Privilege escalation to admin

Unauthorized data manipulation (delete, archive, update)

Cross-resource action execution

Complete integrity compromise of all records

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top