Lucene search

Veracode Vulnerability DatabaseVERACODE:44726

HistoryDec 19, 2023 - 5:53 a.m.

Cross Site Scripting (XSS)

2023-12-1905:53:57

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

resque

cross site scripting

reflected xss

html escaping

web pages

attacker

malicious link

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.4%

JSON

resque is vulnerable to Reflected Cross Site Scripting (XSS). The vulnerability is caused due to not sanitizing and escaping HTML while displaying failed queue lists related web pages of the resque-web component. An attacker can make a user click on a malicious link leading to Reflected XSS when the failed or queue related web pages (/views/failed.erb , /views/queues.erb , /views/failed.erb and /views/key_string.erb) are displayed on the browser.

CPENameOperatorVersion
resquele2.2.0
resquele2.2.0

CPE	Name	Operator	Version
	resque	le	2.2.0
	resque	le	2.2.0

References

github.com/advisories/GHSA-gc3j-vvwf-4rp8

github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07

github.com/resque/resque/pull/1790

github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8

github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml