-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2023-50725.yml
40 lines (32 loc) · 1.06 KB
/
CVE-2023-50725.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
---
gem: resque
cve: 2023-50725
ghsa: gc3j-vvwf-4rp8
url: https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8
title: Resque vulnerable to reflected XSS in resque-web failed and queues lists
date: 2023-12-18
description: |
### Impact
The following paths in resque-web have been found to be
vulnerable to reflected XSS:
```
/failed/?class=<script>alert(document.cookie)</script>
/queues/><img src=a onerror=alert(document.cookie)>
```
### Patches
v2.2.1
### Workarounds
No known workarounds at this time. It is recommended to not click
on 3rd party or untrusted links to the resque-web interface until
you have patched your application.
### References
https://github.com/resque/resque/pull/1790
cvss_v3: 6.3
patched_versions:
- ">= 2.2.1"
related:
url:
- https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8
- https://github.com/resque/resque/pull/1790
- https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07
- https://github.com/advisories/GHSA-gc3j-vvwf-4rp8