Headline
CVE-2022-44303: Resque 1.27.4 - Multiple Reflected XSS in Resque Schedule Job
Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the “{schedule_job}” or “args” parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.
Exploit Author: TrungVM of VietSunshine Cyber Security Services
Affected Version(s): Resque Scheduler version 1.27.4
Description: Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.
Steps to reproduce: An attacker sends a draft URL https://{IP]/resque/delayed/jobs/{schedule_job}?args={args_id} to a victim. When an authenticated victim opens a URL, XSS will be triggered.
- Ex1: https://{IP]/resque/delayed/jobs/%3Csvg%20onload=alert(document.domain)
- Ex2: https://{IP/resque/delayed/jobs/EventEmailSalesTeamBefore48hrsJob?args=[%2249213%3Cimg+src=x+onerror=alert(document.domain)%3E%22]
Related news
### Impact Resque Scheduler version 1.27.4 and above are affected by a cross-site scripting vulnerability. A remote attacker can inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side. ### Patches Fixed in v4.10.2 ### Workarounds No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application. ### References * https://nvd.nist.gov/vuln/detail/CVE-2022-44303 * https://github.com/resque/resque-scheduler/issues/761 * https://github.com/resque/resque/issues/1885 * https://github.com/resque/resque-scheduler/pull/780 * https://github.com/resque/resque-scheduler/pull/783