CVE-2023-50724

2023-12-2115:15:10

CWE-79

[email protected]

web.nvd.nist.gov

resque

redis

background jobs

queues

resque-web

reflected xss

security vulnerability

cve-2023-50724

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

0.001 Low

EPSS

Percentile

27.1%

JSON

Resque (pronounced like “rescue”) is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.

Affected configurations

Vulners

NVD

Node

resqueresqueRange<2.1.0

VendorProductVersionCPE
resqueresque*cpe:2.3:a:resque:resque:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
resque	resque	*	cpe:2.3:a:resque:resque::::::::

CNA Affected

[
  {
    "vendor": "resque",
    "product": "resque",
    "versions": [
      {
        "version": "< 2.1.0",
        "status": "affected"
      }
    ]
  }
]