Avo Framework Broken Access Control Vulnerability in ActionsController Allowing Privilege Escalation

A broken access control vulnerability has been identified in the Avo framework for Ruby on Rails, specifically in the ActionsController. This vulnerability, present in versions 3.31.0 and prior, arises from insecure action lookup logic that allows an authenticated user to execute any Action class on any resource, regardless of whether the action is registered for that resource. This flaw can lead to privilege escalation and unauthorized data manipulation across the application.

Impact

Exploitation of this vulnerability allows authenticated users with low privileges to execute administrative actions on any resource, bypassing intended access controls. This could result in unauthorized changes to data, such as deleting or modifying records, and could allow for escalation of privileges by manipulating roles or permissions.

Reproduction

To reproduce this vulnerability, log into the Avo admin panel with limited permissions. Identify a target record ID and a sensitive action class, such as Avo::Actions::ToggleAdmin. Then, send a POST request to a resource endpoint where the action is not registered, including the action ID and the target record ID in the payload. The server will execute the requested action on the specified record, demonstrating the unauthorized access.

Remediation

Users are advised to update to Avo version 3.31.2 or later, where this vulnerability has been patched.