-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2022-44303.yml
44 lines (37 loc) · 1.43 KB
/
CVE-2022-44303.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
gem: resque-scheduler
cve: 2022-44303
ghsa: 9hmq-fm33-x4xx
url: https://github.com/resque/resque-scheduler/security/advisories/GHSA-9hmq-fm33-x4xx
title: Resque Scheduler Reflected XSS In Delayed Jobs View
date: 2023-12-18
description: |
### Impact
Resque Scheduler version 1.27.4 and above are affected by a cross-site
scripting vulnerability. A remote attacker can inject javascript code
to the "{schedule_job}" or "args" parameter in
/resque/delayed/jobs/{schedule_job}?args={args_id} to execute
javascript at client side.
### Patches
Fixed in v4.10.2
### Workarounds
No known workarounds at this time. It is recommended to not click on
3rd party or untrusted links to the resque-web interface until you
have patched your application.
### References
* https://nvd.nist.gov/vuln/detail/CVE-2022-44303
* https://github.com/resque/resque-scheduler/issues/761
* https://github.com/resque/resque/issues/1885
* https://github.com/resque/resque-scheduler/pull/780
* https://github.com/resque/resque-scheduler/pull/783
cvss_v3: 6.3
unaffected_versions:
- "< 1.27.4"
patched_versions:
- ">= 4.10.2"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2022-44303
- https://github.com/resque/resque-scheduler/security/advisories/GHSA-9hmq-fm33-x4xx
- https://trungvm.gitbook.io/cves/resque/resque-1.27.4-multiple-reflected-xss-in-resque-schedule-job
- https://github.com/advisories/GHSA-9hmq-fm33-x4xx