Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOHh4LTh2bTgteDZ3as4AA34N
Resque vulnerable to Reflected Cross Site Scripting through pathnames
Impact
resque-web in resque versions before 2.1.0 is vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint.
Patches
v2.1.0
Workarounds
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
References
https://github.com/resque/resque/issues/1679
https://github.com/resque/resque/pull/1687
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOHh4LTh2bTgteDZ3as4AA34N
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 3 months ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
Identifiers: GHSA-r8xx-8vm8-x6wj, CVE-2023-50724
References:
- https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj
- https://github.com/resque/resque/issues/1679
- https://github.com/resque/resque/pull/1687
- https://github.com/resque/resque/commit/e8e2367fff6990d13109ec2483a456a05fbf9811
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50724.yml
- https://nvd.nist.gov/vuln/detail/CVE-2023-50724
- https://github.com/advisories/GHSA-r8xx-8vm8-x6wj
Blast Radius: 24.6
Affected Packages
rubygems:resque
Dependent packages: 485Dependent repositories: 8,135
Downloads: 41,775,412 total
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.2.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.3, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.17.1, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 2.0.0
All unaffected versions: 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0