Cross-Site Scripting(XSS) issue #2330
Comments
|
I can't reproduce. When I hit http://localhost:3000/sidekiq/queues/%3c%69%4d%67%20%53%72%43%3d%78%20%4f%6e%45%72%52%6f%52%3d%61%6c%65%72%74%28%34%38%34%37%33%29%3e I just get an empty page. For everyone else, the URL is actually |
|
Ok, chrome ignored it but firefox reproduced it. |
|
Yap Firefox,
|
|
thank you! is working & more security now ! |
|
In case anyone is wondering, Chrome has some XSS security built into it where it will detect if pieces of the URL show up as HTML/DOM elements. (Not really sure why Firefox doesn't have it...) |
tijmenb
added a commit
to alphagov/collections-publisher
that referenced
this issue
Feb 4, 2016
This commit upgrades Sidekiq to 3.5.4, the latest version in the 3.X series (4.0 has come out a few months ago). It is necessary to upgrade because there are a couple of vulnerabilities reported in 2.X. The issues concerns these issues: - sidekiq/sidekiq#2422 - sidekiq/sidekiq#2330 - sidekiq/sidekiq#2309 As mentioned in the upgrade guide[1], we've upgradedA the Airbrake gem as well. Other items in the upgrade guide are not applicable. [1] https://github.com/mperham/sidekiq/blob/master/3.0-Upgrade.md
MMartyn
added a commit
to MMartyn/sidekiq
that referenced
this issue
Jun 8, 2016
carvil
pushed a commit
to alphagov/content-tagger
that referenced
this issue
Jul 20, 2016
This commit upgrades Sidekiq to 3.5.4, the latest version in the 3.X series (4.0 has come out a few months ago). It is necessary to upgrade because there are a couple of vulnerabilities reported in 2.X. The issues concerns these issues: - sidekiq/sidekiq#2422 - sidekiq/sidekiq#2330 - sidekiq/sidekiq#2309 As mentioned in the upgrade guide[1], we've upgradedA the Airbrake gem as well. Other items in the upgrade guide are not applicable. [1] https://github.com/mperham/sidekiq/blob/master/3.0-Upgrade.md
chrismytton
added a commit
to everypolitician/webhook-manager
that referenced
this issue
Sep 28, 2016
This fixes the following vulnerabilities that bundler-audit warns us about: Name: sidekiq Version: 3.3.4 Advisory: 125675 Criticality: Unknown URL: sidekiq/sidekiq#2422 Title: Sidekiq Gem for Ruby Multiple Unspecified CSRF Solution: upgrade to >= 3.4.2 Name: sidekiq Version: 3.3.4 Advisory: 125676 Criticality: Unknown URL: sidekiq/sidekiq#2330 Title: Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element Reflected XSS Solution: upgrade to >= 3.4.0 Name: sidekiq Version: 3.3.4 Advisory: 125678 Criticality: Unknown URL: sidekiq/sidekiq#2309 Title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS Solution: upgrade to >= 3.4.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
when page queues page
using bellow url will can cause Cross-Site Scripting(XSS)
%url%/sidekiq/queues/%3c%69%4d%67%20%53%72%43%3d%78%20%4f%6e%45%72%52%6f%52%3d%61%6c%65%72%74%28%34%38%34%37%33%29%3eThe text was updated successfully, but these errors were encountered: