GoogleOSV:GHSA-9HMQ-FM33-X4XXResque Scheduler Reflected XSS In Delayed Jobs View
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.8%
Impact
Resque Scheduler version 1.27.4 and above are affected by a cross-site scripting vulnerability. A remote attacker can inject javascript code to the “{schedule_job}” or “args” parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.
Patches
Fixed in v4.10.2
Workarounds
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
References
References
github.com/resque/resque-scheduler
github.com/resque/resque-scheduler/security/advisories/GHSA-9hmq-fm33-x4xx
github.com/rubysec/ruby-advisory-db/blob/master/gems/resque-scheduler/CVE-2022-44303.yml
nvd.nist.gov/vuln/detail/CVE-2022-44303
trungvm.gitbook.io/cves/resque/resque-1.27.4-multiple-reflected-xss-in-resque-schedule-job
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.8%