Lucene search

Veracode Vulnerability DatabaseVERACODE:44748

HistoryDec 19, 2023 - 9:28 a.m.

Cross-Site Scripting (XSS)

2023-12-1909:28:50

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

vulnerability

sanitization

resque

html

javascript

execution

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.8%

JSON

resque is vulnerable to Cross-Site Scripting. The vulnerability is due to a lack of sanitization in the html_escape parameter for the current_queue function. This allows an attacker to manipulates the current_queue parameter in the request URL. This can leads to arbitrary HTML or JavaScript code execution in the web page.

CPENameOperatorVersion
resquele2.0.0
resquele2.0.0

CPE	Name	Operator	Version
	resque	le	2.0.0
	resque	le	2.0.0

References

github.com/advisories/GHSA-r8xx-8vm8-x6wj

github.com/resque/resque/commit/e8e2367fff6990d13109ec2483a456a05fbf9811

github.com/resque/resque/issues/1679

github.com/resque/resque/pull/1687

github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj