CVE-2023-50727 (resque): Resque vulnerable to reflected XSS in Queue Endpoint

Resque vulnerable to reflected XSS in Queue Endpoint

Published: December 18, 2023

SECURITY IDENTIFIERS

CVE: CVE-2023-50727 (NVD)
GHSA: GHSA-r9mq-m72x-257g
Vendor Advisory: https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g

GEM

resque

SEVERITY

CVSS v3.x: 6.3 (Medium)

PATCHED VERSIONS

>= 2.6.0

DESCRIPTION

Impact

Reflected XSS can be performed using the current_queue portion of the path on the /queues endpoint of resque-web.

Patches

v2.6.0

Workarounds

No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.

References

https://github.com/resque/resque/pull/1865

https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g
https://github.com/resque/resque/pull/1865
https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a
https://github.com/advisories/GHSA-r9mq-m72x-257g

RubySec