Lucene search

Veracode Vulnerability DatabaseVERACODE:44735

HistoryDec 19, 2023 - 7:05 a.m.

Cross Site Scripting (XSS)

2023-12-1907:05:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

resque

cross site scripting

reflected xss

html form

path

resque-web

queues.erb

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

5.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.6%

JSON

resque is vulnerable to Reflected Cross Site Scripting (XSS). The vulnerability is due to not sanitizing and escaping the current_queue portion of the path (action tag in HTML form) on the /queues endpoint of the resque-web component. This can lead to Reflected XSS when the view related to the /queues end point (/views/queues.erb) is rendered on the browser.

CPENameOperatorVersion
resquele2.5.0
resquele2.5.0

CPE	Name	Operator	Version
	resque	le	2.5.0
	resque	le	2.5.0

References

github.com/advisories/GHSA-r9mq-m72x-257g

github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a

github.com/resque/resque/pull/1865

github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g