Bug 2013503 (CVE-2021-30151) - CVE-2021-30151 sidekiq: XSS via the queue name of the live-poll feature
Summary: CVE-2021-30151 sidekiq: XSS via the queue name of the live-poll feature
Keywords:
Status: NEW
Alias: CVE-2021-30151
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2016282
Blocks: 2013504
TreeView+ depends on / blocked
 
Reported: 2021-10-13 05:05 UTC by Marian Rehak
Modified: 2021-11-05 21:34 UTC (History)
21 users (show)

Fixed In Version: sidekiq 5.2.0, sidekiq 6.2.1
Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting vulnerability was found in sidekiq via the queue name of the live-poll feature. A potential attacker can impersonate or masquerade as the victim user using this vulnerability when Internet Explorer is used.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2021-10-13 05:05:06 UTC
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.

Upstream Advisory:

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sidekiq/CVE-2021-30151.yml


Note You need to log in before you can comment on or make changes to this bug.