CVE-2023-50727 Resque vulnerable to reflected XSS in Queue Endpoint

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /". This issue has been patched in version 2.6.0...

CVE-2023-50727

CVE-2023-50727 concerns a reflected XSS vulnerability in the Resque (Ruby) web interface. The issue arises when the /queues endpoint is appended with a crafted string (for example, current_queue path manipulation like ">). Affected software is Resque prior to version 2.6.0; the vulnerability i...

CVE-2023-50725 Resque vulnerable to reflected XSS in resque-web failed and queues lists

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=alertdocument.cookie" and "/queues/". This issue has been patched in...

CVE-2023-50725

CVE-2023-50725 affects the Resque library’s web UI (resque-web) where two paths, “/failed/?class=” and “/queues/>”, allow reflected XSS. The root cause is improper input validation on those endpoints. Impact stated across sources: remote authenticated attacker could lure a user to click a craf...

CVE-2023-50725 Resque vulnerable to reflected XSS in resque-web failed and queues lists

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=alertdocument.cookie" and "/queues/". This issue has been patched in...

ruby-hotels.com Cross Site Scripting vulnerability OBB-3819943

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted from the extension negotiation message, and a client and server may consequently end up with a connecti...

SUSE CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

DEBIAN-CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

Design/Logic Flaw

The xaviershay-dm-rails gem 0.10.3.8 for Ruby allows local users to discover MySQL credentials by listing a process and its arguments...

Design/Logic Flaw

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

CVE-2013-2513

The flashtool gem through 0.6.0 for Ruby allows command execution via shell metacharacters in the name of a downloaded file...

Command injection

The flashtool gem through 0.6.0 for Ruby allows command execution via shell metacharacters in the name of a downloaded file...

CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

CVE-2015-2179

The CVE-2015-2179 issue affects the xaviershay-dm-rails gem for Ruby, version 0.10.3.8, where a flaw in the execute() function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb exposes sensitive information via the process table. This can allow local users to discover MySQL credentials ...

CVE-2013-2513

The flashtool gem through 0.6.0 for Ruby allows command execution via shell metacharacters in the name of a downloaded file...

CVE-2015-8314

CVE-2015-8314 affects the Devise gem for Ruby prior to 3.5.4, where the Remember Me cookie handling is flawed. This flaw may allow an attacker to obtain unauthorized persistent access to an application by leveraging the compromised cookie. The issue is reported across multiple sources (Red Hat, D...

Metasploit Wrap-Up 12/8/2023

Are You Looking for ACTION? Our very own adfoster-r7 has added a new feature that adds module actions, targets, and aliases to the search feature in Metasploit Framework. As we continue to add modules with diverse goals or targets, we’ve found ourselves leaning on these flags more and more...

Ruby: DoS in bigdecimal's sqrt function due to miscalculation of loop iterations

Vulnerability description not provided...