6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.8%
Resque Scheduler version 1.27.4 and above are affected by a cross-site scripting vulnerability. A remote attacker can inject javascript code to the “{schedule_job}” or “args” parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.
Fixed in v4.10.2
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
CPE | Name | Operator | Version |
---|---|---|---|
resque-scheduler | ge | 1.27.4 | |
resque-scheduler | lt | 4.10.2 |
github.com/advisories/GHSA-9hmq-fm33-x4xx
github.com/resque/resque-scheduler/security/advisories/GHSA-9hmq-fm33-x4xx
github.com/rubysec/ruby-advisory-db/blob/master/gems/resque-scheduler/CVE-2022-44303.yml
nvd.nist.gov/vuln/detail/CVE-2022-44303
trungvm.gitbook.io/cves/resque/resque-1.27.4-multiple-reflected-xss-in-resque-schedule-job
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.8%