Lucene search

[email protected]CVE-2024-32887

HistoryApr 26, 2024 - 9:15 p.m.

CVE-2024-32887

2024-04-2621:15:49

CWE-79

[email protected]

web.nvd.nist.gov

sidekiq

ruby

reflected xss

vulnerability

substr parameter

attacker

injection

javascript

response

application

web ui

compromise

accounts

sensitive data

cors attacks

patch

version 7.2.4

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

5.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4.

Affected configurations

Vulners

Node

sidekiqsidekiqRange7.2.0–7.2.4

CNA Affected

[
  {
    "vendor": "sidekiq",
    "product": "sidekiq",
    "versions": [
      {
        "version": ">= 7.2.0, < 7.2.4",
        "status": "affected"
      }
    ]
  }
]