Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yOHh4LTh2bTgteDZ3as4AA34N

Resque vulnerable to Reflected Cross Site Scripting through pathnames

Impact

resque-web in resque versions before 2.1.0 is vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint.

Patches

v2.1.0

Workarounds

No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.

References

https://github.com/resque/resque/issues/1679
https://github.com/resque/resque/pull/1687

Permalink: https://github.com/advisories/GHSA-r8xx-8vm8-x6wj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOHh4LTh2bTgteDZ3as4AA34N
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 3 months ago

CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

Identifiers: GHSA-r8xx-8vm8-x6wj, CVE-2023-50724
References:

Repository: https://github.com/resque/resque
Blast Radius: 24.6

Affected Packages

rubygems:resque

Dependent packages: 485
Dependent repositories: 8,135
Downloads: 41,775,412 total
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.2.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.3, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.17.1, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 2.0.0
All unaffected versions: 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0