CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
10.9%
sidekiq-unique-jobs is vulnerable to Cross Site Scripting (XSS). The vulnerability is due to a missing input validation and output sanitization for the GET
request parameters handled by the endpoints - /changelogs
, /locks
and /expiring_locks
of the “admin” web UI. This can allow an attacker to successfully execute malicious code, possibly stealing cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in.
github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed
github.com/mhenrixon/sidekiq-unique-jobs/pull/829
github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7
github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
link.org
www.link.com
www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951