Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for resque by resque
CVE-2023-50727 (GCVE-0-2023-50727)
Vulnerability from cvelistv5 – Published: 2023-12-22 20:10 – Updated: 2025-04-23 16:17
VLAI
Title
Resque vulnerable to reflected XSS in Queue Endpoint
Summary
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /"><svg%20onload=alert(domain)>. This issue has been patched in version 2.6.0.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/resque/resque/security/advisor… | x_refsource_CONFIRM |
| https://github.com/resque/resque/pull/1865 | x_refsource_MISC |
| https://github.com/resque/resque/commit/7623b8dfb… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g"
},
{
"name": "https://github.com/resque/resque/pull/1865",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/pull/1865"
},
{
"name": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T16:36:53.442840Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:17:49.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "resque",
"vendor": "resque",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /\"\u003e\u003csvg%20onload=alert(domain)\u003e. This issue has been patched in version 2.6.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T20:10:10.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g"
},
{
"name": "https://github.com/resque/resque/pull/1865",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/pull/1865"
},
{
"name": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a"
}
],
"source": {
"advisory": "GHSA-r9mq-m72x-257g",
"discovery": "UNKNOWN"
},
"title": "Resque vulnerable to reflected XSS in Queue Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50727",
"datePublished": "2023-12-22T20:10:10.964Z",
"dateReserved": "2023-12-11T17:53:36.032Z",
"dateUpdated": "2025-04-23T16:17:49.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50725 (GCVE-0-2023-50725)
Vulnerability from cvelistv5 – Published: 2023-12-22 20:02 – Updated: 2024-08-02 22:16
VLAI
Title
Resque vulnerable to reflected XSS in resque-web failed and queues lists
Summary
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=<script>alert(document.cookie)</script>" and "/queues/><img src=a onerror=alert(document.cookie)>". This issue has been patched in version 2.2.1.
Severity
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/resque/resque/security/advisor… | x_refsource_CONFIRM |
| https://github.com/resque/resque/pull/1790 | x_refsource_MISC |
| https://github.com/resque/resque/commit/ee99d2ed6… | x_refsource_MISC |
| https://github.com/rubysec/ruby-advisory-db/blob/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8"
},
{
"name": "https://github.com/resque/resque/pull/1790",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/pull/1790"
},
{
"name": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "resque",
"vendor": "resque",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: \"/failed/?class=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\" and \"/queues/\u003e\u003cimg src=a onerror=alert(document.cookie)\u003e\". This issue has been patched in version 2.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T20:02:15.568Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8"
},
{
"name": "https://github.com/resque/resque/pull/1790",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/pull/1790"
},
{
"name": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml"
}
],
"source": {
"advisory": "GHSA-gc3j-vvwf-4rp8",
"discovery": "UNKNOWN"
},
"title": "Resque vulnerable to reflected XSS in resque-web failed and queues lists"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50725",
"datePublished": "2023-12-22T20:02:15.568Z",
"dateReserved": "2023-12-11T17:53:36.031Z",
"dateUpdated": "2024-08-02T22:16:47.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50724 (GCVE-0-2023-50724)
Vulnerability from cvelistv5 – Published: 2023-12-21 14:50 – Updated: 2024-08-27 15:02
VLAI
Title
Resque vulnerable to reflected cross site scripting through pathname
Summary
Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/resque/resque/security/advisor… | x_refsource_CONFIRM |
| https://github.com/resque/resque/issues/1679 | x_refsource_MISC |
| https://github.com/resque/resque/pull/1687 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj"
},
{
"name": "https://github.com/resque/resque/issues/1679",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/issues/1679"
},
{
"name": "https://github.com/resque/resque/pull/1687",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/pull/1687"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T14:51:32.748402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:02:43.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "resque",
"vendor": "resque",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Resque (pronounced like \"rescue\") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-21T14:50:29.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj"
},
{
"name": "https://github.com/resque/resque/issues/1679",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/issues/1679"
},
{
"name": "https://github.com/resque/resque/pull/1687",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/pull/1687"
}
],
"source": {
"advisory": "GHSA-r8xx-8vm8-x6wj",
"discovery": "UNKNOWN"
},
"title": "Resque vulnerable to reflected cross site scripting through pathname "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50724",
"datePublished": "2023-12-21T14:50:29.294Z",
"dateReserved": "2023-12-11T17:53:36.031Z",
"dateUpdated": "2024-08-27T15:02:43.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50727 (GCVE-0-2023-50727)
Vulnerability from nvd – Published: 2023-12-22 20:10 – Updated: 2025-04-23 16:17
VLAI
Title
Resque vulnerable to reflected XSS in Queue Endpoint
Summary
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /"><svg%20onload=alert(domain)>. This issue has been patched in version 2.6.0.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/resque/resque/security/advisor… | x_refsource_CONFIRM |
| https://github.com/resque/resque/pull/1865 | x_refsource_MISC |
| https://github.com/resque/resque/commit/7623b8dfb… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g"
},
{
"name": "https://github.com/resque/resque/pull/1865",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/pull/1865"
},
{
"name": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T16:36:53.442840Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:17:49.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "resque",
"vendor": "resque",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /\"\u003e\u003csvg%20onload=alert(domain)\u003e. This issue has been patched in version 2.6.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T20:10:10.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g"
},
{
"name": "https://github.com/resque/resque/pull/1865",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/pull/1865"
},
{
"name": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a"
}
],
"source": {
"advisory": "GHSA-r9mq-m72x-257g",
"discovery": "UNKNOWN"
},
"title": "Resque vulnerable to reflected XSS in Queue Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50727",
"datePublished": "2023-12-22T20:10:10.964Z",
"dateReserved": "2023-12-11T17:53:36.032Z",
"dateUpdated": "2025-04-23T16:17:49.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50725 (GCVE-0-2023-50725)
Vulnerability from nvd – Published: 2023-12-22 20:02 – Updated: 2024-08-02 22:16
VLAI
Title
Resque vulnerable to reflected XSS in resque-web failed and queues lists
Summary
Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=<script>alert(document.cookie)</script>" and "/queues/><img src=a onerror=alert(document.cookie)>". This issue has been patched in version 2.2.1.
Severity
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/resque/resque/security/advisor… | x_refsource_CONFIRM |
| https://github.com/resque/resque/pull/1790 | x_refsource_MISC |
| https://github.com/resque/resque/commit/ee99d2ed6… | x_refsource_MISC |
| https://github.com/rubysec/ruby-advisory-db/blob/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8"
},
{
"name": "https://github.com/resque/resque/pull/1790",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/pull/1790"
},
{
"name": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "resque",
"vendor": "resque",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: \"/failed/?class=\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\" and \"/queues/\u003e\u003cimg src=a onerror=alert(document.cookie)\u003e\". This issue has been patched in version 2.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-22T20:02:15.568Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8"
},
{
"name": "https://github.com/resque/resque/pull/1790",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/pull/1790"
},
{
"name": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50725.yml"
}
],
"source": {
"advisory": "GHSA-gc3j-vvwf-4rp8",
"discovery": "UNKNOWN"
},
"title": "Resque vulnerable to reflected XSS in resque-web failed and queues lists"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50725",
"datePublished": "2023-12-22T20:02:15.568Z",
"dateReserved": "2023-12-11T17:53:36.031Z",
"dateUpdated": "2024-08-02T22:16:47.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50724 (GCVE-0-2023-50724)
Vulnerability from nvd – Published: 2023-12-21 14:50 – Updated: 2024-08-27 15:02
VLAI
Title
Resque vulnerable to reflected cross site scripting through pathname
Summary
Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/resque/resque/security/advisor… | x_refsource_CONFIRM |
| https://github.com/resque/resque/issues/1679 | x_refsource_MISC |
| https://github.com/resque/resque/pull/1687 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:47.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj"
},
{
"name": "https://github.com/resque/resque/issues/1679",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/issues/1679"
},
{
"name": "https://github.com/resque/resque/pull/1687",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/resque/resque/pull/1687"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T14:51:32.748402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:02:43.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "resque",
"vendor": "resque",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Resque (pronounced like \"rescue\") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-21T14:50:29.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj"
},
{
"name": "https://github.com/resque/resque/issues/1679",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/issues/1679"
},
{
"name": "https://github.com/resque/resque/pull/1687",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/resque/resque/pull/1687"
}
],
"source": {
"advisory": "GHSA-r8xx-8vm8-x6wj",
"discovery": "UNKNOWN"
},
"title": "Resque vulnerable to reflected cross site scripting through pathname "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-50724",
"datePublished": "2023-12-21T14:50:29.294Z",
"dateReserved": "2023-12-11T17:53:36.031Z",
"dateUpdated": "2024-08-27T15:02:43.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}