GHSA-r8xx-8vm8-x6wj

Source

https://github.com/advisories/GHSA-r8xx-8vm8-x6wj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-r8xx-8vm8-x6wj/GHSA-r8xx-8vm8-x6wj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r8xx-8vm8-x6wj

Aliases

CVE-2023-50724

Published

2023-12-18T19:34:14Z

Modified

2024-02-16T08:24:48.277556Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N CVSS Calculator

Summary

Resque vulnerable to Reflected Cross Site Scripting through pathnames

Details

Impact

resque-web in resque versions before 2.1.0 is vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint.

Patches

v2.1.0

Workarounds

No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.

References

https://github.com/resque/resque/issues/1679 https://github.com/resque/resque/pull/1687

References

Affected packages

RubyGems / resque

Package

Name: resque
Purl: pkg:gem/resque

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Affected versions

0.*

0.2.0

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.2.3

1.3.0

1.3.1

1.4.0

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.7.0

1.7.1

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.7

1.9.8

1.9.9

1.9.10

1.10.0

1.11.0

1.12.0

1.13.0

1.14.0

1.15.0

1.16.0

1.16.1

1.17.0

1.17.1

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

1.18.5

1.18.6

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.23.1

1.24.0

1.24.1

1.25.0.pre

1.25.0

1.25.1

1.25.2

1.26.pre.0

1.26.0

1.27.0

1.27.1

1.27.2

1.27.3

1.27.4

2.*

2.0.0