Headline
CVE-2021-30151: [sidekiq <= v6.2, v5.1.3] Cross-site-scripting (XSS) · Issue #4852 · sidekiq/sidekiq
Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
the payload I provided works against the latest version of master, I tested multiple setups, some only worked for IE and the other worked on all browsers, so I couldn’t understand why,
If you have Internet Explorer you can open this link as a proof
[HOST]/sidekiq/queues/"><h1>@xhzeem
The point is that modern browsers auto encode some characters to URL encoding which makes the " converts into %22but internet explorer doesn’t do that you can see it there with no issue, even though I have another setup that is vulnerable and exploitable on chrome but I don’t know why.
PoC: https://d.top4top.io/p_19096xn861.png
simply just use cURL and you will get it.
curl ‘https://[HOST]/sidekiq/queues/"onmouseover="alert()"’ -H ‘Authorization: Basic YWRtaW46QHhoemVlbQ==’
Related news
Red Hat Security Advisory 2022-5498-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include HTTP request smuggling, buffer overflow, bypass, code execution, cross site scripting, denial of service, heap overflow, information leakage, privilege escalation, remote shell upload, remote SQL injection, and traversal vulnerabilities.
An update is now available for Red Hat Satellite 6.11This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3200: libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c * CVE-2021-3584: foreman: Authenticate remote code execution through Sendmail configuration * CVE-2021-4142: Satellite: Allow unintended SCA certificate to authenticate Candlepin * CVE-2021-21290: netty: Information disclosure via the local system temporary directory * CVE-2021-21295: netty: possible request smuggling in HTTP/2 due missing validation * CVE-2021-21409: netty: Request smuggling via content-length header * CVE-2021-30151: sidekiq: XSS via the queue name of the live-poll feature * CVE-2021-32839: python-sqlparse: ReDoS via regular expression i...