CVE-2023-50725 (resque): Resque vulnerable to reflected XSS in resque-web failed and queues lists

Resque vulnerable to reflected XSS in resque-web failed and queues lists

Published: December 18, 2023

SECURITY IDENTIFIERS

CVE: CVE-2023-50725 (NVD)
GHSA: GHSA-gc3j-vvwf-4rp8
Vendor Advisory: https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8

GEM

resque

SEVERITY

CVSS v3.x: 6.3 (Medium)

PATCHED VERSIONS

>= 2.2.1

DESCRIPTION

Impact

The following paths in resque-web have been found to be vulnerable to reflected XSS:

/failed/?class=&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/queues/&gt;&lt;img src=a onerror=alert(document.cookie)&gt;

Patches

v2.2.1

Workarounds

No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.

References

https://github.com/resque/resque/pull/1790

https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8
https://github.com/resque/resque/pull/1790
https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07
https://github.com/advisories/GHSA-gc3j-vvwf-4rp8

RubySec