Resque Scheduler version 1.27.4 and above are affected by a cross-site scripting vulnerability. A remote attacker can inject javascript code to the "{schedulejob}" or "args" parameter in /resque/delayed/jobs/{schedulejob}?args={args_id} to execute javascript at client side.
Fixed in v4.10.2
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.