CVE-2023-50724 MEDIUM

CVE-2023-50724: Resque vulnerable to reflected cross site scripting through pathname

Vendor Resque
Product resque
Weakness CWE-79 · XSS
Published December 21, 2023
Last update August 27, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.

Key dates

02Disclosure timeline

December 21, 2023 CVE published
August 27, 2024 Record updated