CVE-2024-32887 — Cross-site Scripting in Sidekiq

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 48.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Contribsys Sidekiq Sidekiq Debian Ruby-sidekiq

Timeline

PublishedApr 26

Description

Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 2.1 | Impact: 3.4

Affected Packages3 packages

▶debiandebian/ruby-sidekiq

▶RubyGemscontribsys/sidekiq7.2.0 — 7.2.4

▶CVEListV5sidekiq/sidekiq>= 7.2.0, < 7.2.4

🔴Vulnerability Details

GHSA

Sidekiq vulnerable to a Reflected XSS in Queues Web Page↗2024-04-26

▶

OSV

Sidekiq vulnerable to a Reflected XSS in Queues Web Page↗2024-04-26

▶

OSV

CVE-2024-32887: Sidekiq is simple, efficient background processing for Ruby↗2024-04-26

▶

📋Vendor Advisories

Red Hat

ruby-sidekiq: Reflected XSS in Metrics Web Page↗2024-04-26

▶

Debian

CVE-2024-32887: ruby-sidekiq - Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflecte...↗2024

▶