GHSA/SYNC: 3 more new advisories

gems/avo/CVE-2026-42205.yml

@@ -0,0 +1,71 @@
+---
+gem: avo
+cve: 2026-42205
+ghsa: qc5p-3mg5-9fh8
+url: https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
+title: Broken Access Control Through Unauthorized Execution of Arbitrary
+  Action Classes Across Resources
+date: 2026-04-24
+description: |
+  ### Summary
+
+  A critical Broken Access Control vulnerability was identified in the
+  `ActionsController` of the Avo framework (v3.x). Due to insecure
+  action lookup logic, an authenticated user can execute any Action
+  class (descendants of `Avo::BaseAction`) on any resource, even if
+  the action is not registered for that specific resource. This leads
+  to Privilege Escalation and unauthorized data manipulation across
+  the entire application.
+
+  ### Details
+
+  The vulnerability exists in the `action_class` method within
+  `app/controllers/avo/actions_controller.rb`.
+
+  #### Vulnerable Code
+
+  ```ruby
+  def action_class
+    # It searches through ALL descendants of BaseAction without
+    #    resource validation.
+    Avo::BaseAction.descendants.find do |action|
+      action.to_s == params[:action_id]
+    end
+  end
+  ```
+
+  The controller identifies the action class to execute solely based
+  on the `params[:action_id]` by searching through all `BaseAction`
+  descendants. It fails to verify whether the requested action is
+  actually permitted or registered for the resource context specified
+  in the request URL (e.g., `/admin/resources/posts/actions`).
+
+  Consequently, an attacker can invoke sensitive actions (e.g.,
+  `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint
+  (e.g., `Post`), bypassing the intended resource-action mapping.
+
+  ### Impact
+
+  This flaw results in significant security risks:
+
+  - **Privilege Escalation:** An authenticated user with low privileges
+    can execute administrative actions (like toggling admin roles) to
+    escalate their own or others' permissions.
+  - **Unauthorized Operations:** Actions designed for restricted
+    resources can be triggered against any record ID in the database.
+  - **Data Integrity Compromise:** Attackers can perform unauthorized
+    destructive operations (e.g., Delete, Archive, or Update) on records
+    they should not have access to.
+
+  ### CREDIT
+
+  Illunight
+cvss_v3: 8.8
+patched_versions:
+  - ">= 3.31.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-42205
+    - https://github.com/avo-hq/avo/releases/tag/v3.31.2
+    - https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
+    - https://github.com/advisories/GHSA-qc5p-3mg5-9fh8

gems/css_parser/CVE-2026-44312.yml

@@ -0,0 +1,54 @@
+---
+gem: css_parser
+cve: 2026-44312
+ghsa: ff6c-w6qf-7xqc
+url: https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc
+title: Improper Certificate Validation allows MITM injection of remote
+  CSS content
+date: 2026-05-07
+description: |
+  ### Summary
+
+  The CSS Parser gem does not validate HTTPS connections, allowing a
+  Man-in-the-Middle (MITM) attacker to inject or modify CSS content when
+  stylesheets are loaded via HTTPS. The connection is established with
+  `OpenSSL::SSL::VERIFY_NONE`, meaning any HTTPS certificate—even
+  entirely untrusted—will be accepted without validation.
+
+  ### Details
+
+  In `lib/css_parser/parser.rb`, the HTTP client sets:
+  https://github.com/premailer/css_parser/blob/3f91e8db7547fac50ab50cb7f9920f785f722740/lib/css_parser/parser.rb#L646
+
+  ```ruby
+  http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+  ```
+
+  As a result, the library does not validate the authenticity of HTTPS
+  connections and does not protect against man-in-the-middle attacks.
+  Any attacker in a position to intercept network traffic can inject
+  or modify CSS loaded via HTTPS URLs without detection or warning.
+
+  ### Impact
+
+  Applications using CSS Parser to load remote stylesheets over HTTPS
+  are vulnerable to CSS injection and content manipulation, regardless
+  of the trust status of the remote server. All users who use CSS Parser
+  to fetch external CSS over HTTPS may be impacted.
+
+  ### Credit
+
+  This vulnerability was uncovered by @JLLeitschuh of the
+  @braze-inc security team.
+cvss_v3: 5.8
+patched_versions:
+  - "~> 1.22.0"
+  - ">= 2.1.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-44312
+    - https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc
+    - https://github.com/premailer/css_parser/commit/35e689c904225add78e0c488cf04bad052666449
+    - https://github.com/premailer/css_parser/commit/e0c95d5abe91b237becb90ff316531a6547ada18
+    - https://github.com/premailer/css_parser/issues/185
+    - https://github.com/advisories/GHSA-ff6c-w6qf-7xqc

gems/graphql/GHSA-3h96-34p3-xm76.yml

@@ -0,0 +1,33 @@
+---
+gem: graphql
+ghsa: 3h96-34p3-xm76
+url: https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76
+title: GraphQL-Ruby's Ruby lexer does not count comment tokens for
+  the purposes of max_query_string_tokens
+date: 2026-05-05
+description: |
+  GraphQL-Ruby's `max_query_string_tokens` configuration didn't count
+  comment tokens against the limit, allowing strings to be processed
+  even after the configured maximum had actually been reached.
+
+  In patched versions, the Ruby lexer does count these tokens.
+
+  GraphQL-CParser is not affected by this problem.
+
+  `max_query_string_tokens` was introduced in v2.3.1. Each 2.x
+  version has received a new patch release for including a fix.
+cvss_v3: 5.3
+unaffected_versions:
+  - "< 2.3.1"
+patched_versions:
+  - "~> 2.3.23"
+  - "~> 2.4.18"
+  - "~> 2.5.26"
+  - ">= 2.6.1"
+related:
+  url:
+    - https://github.com/rmosolgo/graphql-ruby/blob/master/CHANGELOG.md#261
+    - https://github.com/rmosolgo/graphql-ruby/commit/2a8d95680bf1ed9bb7c0d89345a736f57b10877b
+    - https://github.com/rmosolgo/graphql-ruby/pull/4929
+    - https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76
+    - https://github.com/advisories/GHSA-3h96-34p3-xm76