Bug 2277678 (CVE-2024-32887)
| Summary: | CVE-2024-32887 ruby-sidekiq: Reflected XSS in Metrics Web Page | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | akostadi, amasferr, cbartlet, chazlett, dmayorov, jlledo, mkudlej, mmakovy, tjochec |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sidekiq 7.2.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A reflected Cross-site scripting (XSS) vulnerability was found in Rubygem Sidekiq. The value of the substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit this to target the users of the Sidekiq Web UI and users of other applications deployed on the same domain or website as that of the Sidekiq website. This issue potentially compromises user accounts and data, forcing the users to perform sensitive actions that involve stealing sensitive data, performing CORS attacks, or defacement of the web application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2277679, 2277680 | ||
| Bug Blocks: | 2277681 | ||
|
Description
TEJ RATHI
2024-04-29 06:27:20 UTC
|