Summary

A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.

Details

The vulnerability exists in the action_class method within app/controllers/avo/actions_controller.rb.

Vulnerable Code

def action_class
  # It searches through ALL descendants of BaseAction without
  #    resource validation.
  Avo::BaseAction.descendants.find do |action|
    action.to_s == params[:action_id]
  end
end

The controller identifies the action class to execute solely based on the params[:action_id] by searching through all BaseAction descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., /admin/resources/posts/actions).

Consequently, an attacker can invoke sensitive actions (e.g., Avo::Actions::ToggleAdmin) through an unrelated resource endpoint (e.g., Post), bypassing the intended resource-action mapping.

Impact

This flaw results in significant security risks:

• Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions.
• Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database.
• Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.

CREDIT

Illunight