Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yOW1xLW03MngtMjU3Z84AA34L

Resque vulnerable to reflected XSS in Queue Endpoint

Impact

Reflected XSS can be performed using the current_queue portion of the path on the /queues endpoint of resque-web.

Patches

v2.6.0

Workarounds

No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.

References

https://github.com/resque/resque/pull/1865

Permalink: https://github.com/advisories/GHSA-r9mq-m72x-257g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOW1xLW03MngtMjU3Z84AA34L
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 4 months ago

CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

Identifiers: GHSA-r9mq-m72x-257g, CVE-2023-50727
References:

Repository: https://github.com/resque/resque
Blast Radius: 24.6

Affected Packages

rubygems:resque

Dependent packages: 485
Dependent repositories: 8,135
Downloads: 41,775,412 total
Affected Version Ranges: < 2.6.0
Fixed in: 2.6.0
All affected versions: 0.2.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.3, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.17.1, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0
All unaffected versions: 2.6.0