Headline
CVE-2023-1892: Trim :period parameter to two characters and escape the value · sidekiq/sidekiq@458fdf7
Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8.
@@ -68,7 +68,7 @@ def self.set(key, val)
get “/metrics” do q = Sidekiq::Metrics::Query.new @period = params[:period] @period = h((params[:period] || “”)[0…1]) @periods = METRICS_PERIODS minutes = @periods.fetch(@period, @periods.values.first) @query_result = q.top_jobs(minutes: minutes) @@ -77,7 +77,7 @@ def self.set(key, val)
get “/metrics/:name” do @name = route_params[:name] @period = params[:period] @period = h((params[:period] || “”)[0…1]) q = Sidekiq::Metrics::Query.new @periods = METRICS_PERIODS minutes = @periods.fetch(@period, @periods.values.first)
Related news
GHSA-h3r8-h5qw-4r35: sidekiq vulnerable to cross-site scripting
sidekiq prior to 7.0.8 is vulnerable to reflected cross-site scripting.