CVE-2024-32887

2024-04-2907:15:24

redhat.com

access.redhat.com

cve-2024-32887

cross-site scripting

rubygem sidekiq

javascript code injection

user accounts compromise

data theft

cors attacks

web application defacement

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

15.7%

JSON

A reflected Cross-site scripting (XSS) vulnerability was found in Rubygem Sidekiq. The value of the substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit this to target the users of the Sidekiq Web UI and users of other applications deployed on the same domain or website as that of the Sidekiq website. This issue potentially compromises user accounts and data, forcing the users to perform sensitive actions that involve stealing sensitive data, performing CORS attacks, or defacement of the web application.