Vulnerabilites related to contribsys - sidekiq
Vulnerability from fkie_nvd
Published
2022-01-21 21:15
Modified
2024-11-21 06:49
Severity ?
Summary
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| contribsys | sidekiq | * | |
| contribsys | sidekiq | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B15EF8-61E6-4DED-B338-1BAB5FA46E67",
"versionEndExcluding": "5.2.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8B68F3B1-8E41-4B23-9461-0DC222E0A92A",
"versionEndExcluding": "6.4.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users."
},
{
"lang": "es",
"value": "En api.rb en Sidekiq antes de la versi\u00f3n 5.2.10 y 6.4.0, no hay l\u00edmite en el n\u00famero de d\u00edas cuando se solicitan estad\u00edsticas para el gr\u00e1fico. Esto sobrecarga el sistema, afectando a la interfaz web, y hace que no est\u00e9 disponible para los usuarios"
}
],
"id": "CVE-2022-23837",
"lastModified": "2024-11-21T06:49:20.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-21T21:15:09.283",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-01 14:15
Modified
2025-04-18 14:29
Severity ?
Summary
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted payload to the uniquejobs function.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829 | Issue Tracking | |
| cve@mitre.org | https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7 | Release Notes | |
| cve@mitre.org | https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38 | Exploit, Vendor Advisory | |
| cve@mitre.org | https://link.org | Permissions Required | |
| cve@mitre.org | https://www.link.com | Not Applicable | |
| cve@mitre.org | https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://link.org | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.link.com | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| contribsys | sidekiq | 6.5.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:6.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "025B9EF1-D72F-49B3-9BE0-D1C7276E3F51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted payload to the uniquejobs function."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting en Contribsys Sidekiq v.6.5.8 permite a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s de un payload manipulado para la funci\u00f3n Uniquejobs."
}
],
"id": "CVE-2023-46951",
"lastModified": "2025-04-18T14:29:50.863",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-01T14:15:53.087",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
},
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "https://link.org"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://www.link.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://link.org"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.link.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-21 05:15
Modified
2024-11-21 07:40
Severity ?
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| contribsys | sidekiq | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5B32B98F-EEB2-4982-976A-BEC2ECE01909",
"versionEndExcluding": "7.0.8",
"versionStartIncluding": "7.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8."
}
],
"id": "CVE-2023-1892",
"lastModified": "2024-11-21T07:40:05.820",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-21T05:15:07.057",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-06 06:15
Modified
2024-11-21 06:03
Severity ?
Summary
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mperham/sidekiq/issues/4852 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mperham/sidekiq/issues/4852 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| contribsys | sidekiq | * | |
| contribsys | sidekiq | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FE56AA35-CDD5-41CD-BC84-82DEF18AE786",
"versionEndIncluding": "5.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF48E0F3-8D6A-4F28-869C-2E42A2BF9AE8",
"versionEndIncluding": "6.2.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used."
},
{
"lang": "es",
"value": "Sidekiq versiones hasta 5.1.3 y versiones 6.x hasta 6.2.0, permite un ataque de tipo XSS por medio del nombre queue de la funcionalidad live-poll cuando es usado Internet Explorer"
}
],
"id": "CVE-2021-30151",
"lastModified": "2024-11-21T06:03:24.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-06T06:15:15.547",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mperham/sidekiq/issues/4852"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mperham/sidekiq/issues/4852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-01 14:15
Modified
2025-04-18 14:30
Severity ?
Summary
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| contribsys | sidekiq | 6.5.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:6.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "025B9EF1-D72F-49B3-9BE0-D1C7276E3F51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting en Contribsys Sidekiq v.6.5.8 permite a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s de una URL manipulada para las funciones de filtro."
}
],
"id": "CVE-2023-46950",
"lastModified": "2025-04-18T14:30:56.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-01T14:15:53.030",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://link.org"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.link.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-14 05:15
Modified
2024-11-21 07:50
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| contribsys | sidekiq | * | |
| contribsys | sidekiq | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "825EBC88-1B2F-4264-816E-F1F455207FCF",
"versionEndExcluding": "6.5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C9916BC-BC63-42B1-BBA9-3FAC86B9465E",
"versionEndExcluding": "7.1.3",
"versionStartIncluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests."
},
{
"lang": "es",
"value": "Las versiones del paquete sidekiq anteriores a la 7.1.3 son vulnerables a la Denegaci\u00f3n de Servicio (DoS) debido a comprobaciones insuficientes en el archivo dashboard-charts.js. Un atacante puede aprovechar esta vulnerabilidad manipulando el valor de localStorage, lo que provocar\u00e1 peticiones excesivas."
}
],
"id": "CVE-2023-26141",
"lastModified": "2024-11-21T07:50:51.770",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-14T05:15:11.363",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Exploit"
],
"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"
},
{
"source": "report@snyk.io",
"tags": [
"Broken Link"
],
"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"
},
{
"source": "report@snyk.io",
"tags": [
"Patch"
],
"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"
},
{
"source": "report@snyk.io",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "report@snyk.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2022-23837 (GCVE-0-2022-23837)
Vulnerability from cvelistv5
Published
2022-01-21 00:00
Modified
2024-08-03 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.990Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-12T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956"
},
{
"url": "https://github.com/TUTUMSPACE/exploits/blob/main/sidekiq.md"
},
{
"url": "https://github.com/rubysec/ruby-advisory-db/pull/495"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23837",
"datePublished": "2022-01-21T00:00:00",
"dateReserved": "2022-01-21T00:00:00",
"dateUpdated": "2024-08-03T03:51:45.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46951 (GCVE-0-2023-46951)
Vulnerability from cvelistv5
Published
2024-03-01 00:00
Modified
2025-04-22 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted payload to the uniquejobs function.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sidekiq",
"vendor": "contribsys",
"versions": [
{
"status": "affected",
"version": "v.6.5.8"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46951",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T21:01:21.190541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T15:45:39.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:21.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.link.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://link.org"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted payload to the uniquejobs function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T15:20:49.803Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.link.com"
},
{
"url": "https://link.org"
},
{
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
},
{
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7"
},
{
"url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951"
},
{
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46951",
"datePublished": "2024-03-01T00:00:00.000Z",
"dateReserved": "2023-10-30T00:00:00.000Z",
"dateUpdated": "2025-04-22T15:45:39.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30151 (GCVE-0-2021-30151)
Vulnerability from cvelistv5
Published
2021-04-06 00:00
Modified
2024-08-03 22:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.859Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mperham/sidekiq/issues/4852"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-12T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mperham/sidekiq/issues/4852"
},
{
"name": "[debian-lts-announce] 20220310 [SECURITY] [DLA 2943-1] ruby-sidekiq security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00015.html"
},
{
"name": "[debian-lts-announce] 20230312 [SECURITY] [DLA 3360-1] ruby-sidekiq security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00011.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-30151",
"datePublished": "2021-04-06T00:00:00",
"dateReserved": "2021-04-06T00:00:00",
"dateUpdated": "2024-08-03T22:24:59.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26141 (GCVE-0-2023-26141)
Vulnerability from cvelistv5
Published
2023-09-14 05:00
Modified
2024-09-25 18:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Denial of Service (DoS)
Summary
Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sidekiq",
"vendor": "contribsys",
"versions": [
{
"lessThan": "6.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.1.3",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:12:16.582418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:16:01.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sidekiq",
"vendor": "n/a",
"versions": [
{
"lessThan": "7.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Keegan Parr"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (DoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-14T05:00:00.986Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107"
},
{
"url": "https://gist.github.com/keeganparr1/1dffd3c017339b7ed5371ed3d81e6b2a"
},
{
"url": "https://github.com/sidekiq/sidekiq/blob/6-x/web/assets/javascripts/dashboard.js%23L6"
},
{
"url": "https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26141",
"datePublished": "2023-09-14T05:00:00.986Z",
"dateReserved": "2023-02-20T10:28:48.926Z",
"dateUpdated": "2024-09-25T18:16:01.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46950 (GCVE-0-2023-46950)
Vulnerability from cvelistv5
Published
2024-03-01 00:00
Modified
2024-09-16 19:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:21.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.link.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://link.org"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:contribsys:sidekiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sidekiq",
"vendor": "contribsys",
"versions": [
{
"status": "affected",
"version": "6.5.8"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-46950",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T15:06:13.214798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T15:08:14.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T19:57:04.342263",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38"
},
{
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/releases/tag/v8.0.7"
},
{
"url": "https://www.mgm-sp.com/cve/sidekiq-unique-jobs-reflected-xss-cve-2023-46950-cve-2023-46951"
},
{
"url": "https://github.com/mhenrixon/sidekiq-unique-jobs/pull/829"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46950",
"datePublished": "2024-03-01T00:00:00",
"dateReserved": "2023-10-30T00:00:00",
"dateUpdated": "2024-09-16T19:57:04.342263",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1892 (GCVE-0-2023-1892)
Vulnerability from cvelistv5
Published
2023-04-05 00:00
Modified
2025-02-10 19:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sidekiq | sidekiq/sidekiq |
Version: 7.0.4 < unspecified Version: unspecified < 7.0.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.789Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1892",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T19:45:49.620050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T19:45:53.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sidekiq/sidekiq",
"vendor": "sidekiq",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.4",
"versionType": "custom"
},
{
"lessThan": "7.0.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-21T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/e35e5653-c429-4fb8-94a3-cbc123ae4777"
},
{
"url": "https://github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214"
}
],
"source": {
"advisory": "e35e5653-c429-4fb8-94a3-cbc123ae4777",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in sidekiq/sidekiq"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-1892",
"datePublished": "2023-04-05T00:00:00.000Z",
"dateReserved": "2023-04-05T00:00:00.000Z",
"dateUpdated": "2025-02-10T19:45:53.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}