Updated advisory posts against rubysec/ruby-advisory-db@11a6fb4

Author: jasnow

advisories/_posts/2026-04-24-CVE-2026-42205.md

@@ -0,0 +1,79 @@
+---
+layout: advisory
+title: 'CVE-2026-42205 (avo): Broken Access Control Through Unauthorized Execution
+  of Arbitrary Action Classes Across Resources'
+comments: false
+categories:
+- avo
+advisory:
+  gem: avo
+  cve: 2026-42205
+  ghsa: qc5p-3mg5-9fh8
+  url: https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
+  title: Broken Access Control Through Unauthorized Execution of Arbitrary Action
+    Classes Across Resources
+  date: 2026-04-24
+  description: |-
+    ### Summary
+
+    A critical Broken Access Control vulnerability was identified in the
+    `ActionsController` of the Avo framework (v3.x). Due to insecure
+    action lookup logic, an authenticated user can execute any Action
+    class (descendants of `Avo::BaseAction`) on any resource, even if
+    the action is not registered for that specific resource. This leads
+    to Privilege Escalation and unauthorized data manipulation across
+    the entire application.
+
+    ### Details
+
+    The vulnerability exists in the `action_class` method within
+    `app/controllers/avo/actions_controller.rb`.
+
+    #### Vulnerable Code
+
+    ```ruby
+    def action_class
+      # It searches through ALL descendants of BaseAction without
+      #    resource validation.
+      Avo::BaseAction.descendants.find do |action|
+        action.to_s == params[:action_id]
+      end
+    end
+    ```
+
+    The controller identifies the action class to execute solely based
+    on the `params[:action_id]` by searching through all `BaseAction`
+    descendants. It fails to verify whether the requested action is
+    actually permitted or registered for the resource context specified
+    in the request URL (e.g., `/admin/resources/posts/actions`).
+
+    Consequently, an attacker can invoke sensitive actions (e.g.,
+    `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint
+    (e.g., `Post`), bypassing the intended resource-action mapping.
+
+    ### Impact
+
+    This flaw results in significant security risks:
+
+    - **Privilege Escalation:** An authenticated user with low privileges
+      can execute administrative actions (like toggling admin roles) to
+      escalate their own or others' permissions.
+    - **Unauthorized Operations:** Actions designed for restricted
+      resources can be triggered against any record ID in the database.
+    - **Data Integrity Compromise:** Attackers can perform unauthorized
+      destructive operations (e.g., Delete, Archive, or Update) on records
+      they should not have access to.
+
+    ### CREDIT
+
+    Illunight
+  cvss_v3: 8.8
+  patched_versions:
+  - ">= 3.31.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-42205
+    - https://github.com/avo-hq/avo/releases/tag/v3.31.1
+    - https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
+    - https://github.com/advisories/GHSA-qc5p-3mg5-9fh8
+---

advisories/_posts/2026-05-05-GHSA-3h96-34p3-xm76.md

@@ -0,0 +1,41 @@
+---
+layout: advisory
+title: 'GHSA-3h96-34p3-xm76 (graphql): GraphQL-Ruby''s Ruby lexer does not count comment
+  tokens for the purposes of max_query_string_tokens'
+comments: false
+categories:
+- graphql
+advisory:
+  gem: graphql
+  ghsa: 3h96-34p3-xm76
+  url: https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76
+  title: GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes
+    of max_query_string_tokens
+  date: 2026-05-05
+  description: |-
+    GraphQL-Ruby's `max_query_string_tokens` configuration didn't count
+    comment tokens against the limit, allowing strings to be processed
+    even after the configured maximum had actually been reached.
+
+    In patched versions, the Ruby lexer does count these tokens.
+
+    GraphQL-CParser is not affected by this problem.
+
+    `max_query_string_tokens` was introduced in v2.3.1. Each 2.x
+    version has received a new patch release for including a fix.
+  cvss_v3: 5.3
+  unaffected_versions:
+  - "< 2.3.1"
+  patched_versions:
+  - "~> 2.3.23"
+  - "~> 2.4.18"
+  - "~> 2.5.26"
+  - ">= 2.6.1"
+  related:
+    url:
+    - https://github.com/rmosolgo/graphql-ruby/blob/master/CHANGELOG.md#261
+    - https://github.com/rmosolgo/graphql-ruby/commit/2a8d95680bf1ed9bb7c0d89345a736f57b10877b
+    - https://github.com/rmosolgo/graphql-ruby/pull/4929
+    - https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-3h96-34p3-xm76
+    - https://github.com/advisories/GHSA-3h96-34p3-xm76
+---

advisories/_posts/2026-05-07-CVE-2026-44312.md

@@ -0,0 +1,61 @@
+---
+layout: advisory
+title: 'CVE-2026-44312 (css_parser): Improper Certificate Validation allows MITM injection
+  of remote CSS content'
+comments: false
+categories:
+- css_parser
+advisory:
+  gem: css_parser
+  cve: 2026-44312
+  ghsa: ff6c-w6qf-7xqc
+  url: https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc
+  title: Improper Certificate Validation allows MITM injection of remote CSS content
+  date: 2026-05-07
+  description: |-
+    ### Summary
+
+    The CSS Parser gem does not validate HTTPS connections, allowing a
+    Man-in-the-Middle (MITM) attacker to inject or modify CSS content when
+    stylesheets are loaded via HTTPS. The connection is established with
+    `OpenSSL::SSL::VERIFY_NONE`, meaning any HTTPS certificate—even
+    entirely untrusted—will be accepted without validation.
+
+    ### Details
+
+    In `lib/css_parser/parser.rb`, the HTTP client sets:
+    https://github.com/premailer/css_parser/blob/3f91e8db7547fac50ab50cb7f9920f785f722740/lib/css_parser/parser.rb#L646
+
+    ```ruby
+    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    ```
+
+    As a result, the library does not validate the authenticity of HTTPS
+    connections and does not protect against man-in-the-middle attacks.
+    Any attacker in a position to intercept network traffic can inject
+    or modify CSS loaded via HTTPS URLs without detection or warning.
+
+    ### Impact
+
+    Applications using CSS Parser to load remote stylesheets over HTTPS
+    are vulnerable to CSS injection and content manipulation, regardless
+    of the trust status of the remote server. All users who use CSS Parser
+    to fetch external CSS over HTTPS may be impacted.
+
+    ### Credit
+
+    This vulnerability was uncovered by @JLLeitschuh of the
+    @braze-inc security team.
+  cvss_v3: 5.8
+  patched_versions:
+  - "~> 1.22.0"
+  - ">= 2.1.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-44312
+    - https://github.com/premailer/css_parser/security/advisories/GHSA-ff6c-w6qf-7xqc
+    - https://github.com/premailer/css_parser/commit/35e689c904225add78e0c488cf04bad052666449
+    - https://github.com/premailer/css_parser/commit/e0c95d5abe91b237becb90ff316531a6547ada18
+    - https://github.com/premailer/css_parser/issues/185
+    - https://github.com/advisories/GHSA-ff6c-w6qf-7xqc
+---