CVE-2024-25122Cross-site Scripting in Sidekiq-unique-jobs

CWE-79Cross-site ScriptingCWE-400Uncontrolled Resource ConsumptionCWE-754Improper Check for Unusual or Exceptional ConditionsCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 73.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mhenrixon Sidekiq-unique-jobs
Timeline
PublishedFeb 13

Description

sidekiq-unique-jobs is an open source project which prevents simultaneous Sidekiq jobs with the same unique arguments to run. Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the side

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

NVDmhenrixon/sidekiq-unique-jobs8.0.08.0.7+1
RubyGemsmhenrixon/sidekiq-unique-jobs8.0.08.0.7+1
CVEListV5mhenrixon/sidekiq-unique-jobs>= 8.0.0, < 8.0.7

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
XSS sidekiq-unique-jobs UI server vulnerability2024-02-13
OSV
XSS sidekiq-unique-jobs UI server vulnerability2024-02-13