CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
AI Score
Confidence
High
Cross site scripting (XSS) potentially exposing cookies / sessions / localStorage, fixed by sidekiq-unique-jobs v8.0.7.
Specially crafted URL query parameters handled by any of the following endpoints of sidekiq-unique-jobs’ “admin” web UI,
allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link,
to successfully execute malicious code, which could potentially steal cookies, session data,
or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.
If your sidekiq-unique-jobs web UI is mounted at /sidekiq
, the vulnerable paths and query parameters are:
/sidekiq/changelogs
filter
count
/sidekiq/locks
filter
count
/sidekiq/expiring_locks
filter
This is a vulnerability of critical severity, which impacts many thousands of sites, since sidekiq-unique-jobs is widely deployed across the industry, with multiple attack vectors.
The fix for the XSS vulnerability was released in sidekiq-unique-jobs v8.0.7.
Vendor | Product | Version | CPE |
---|---|---|---|
ruby | sidekiq-unique-jobs | * | cpe:2.3:a:ruby:sidekiq-unique-jobs:*:*:*:*:*:*:*:* |