Reflected XSS in Sidekiq Unique Jobs UI
A reflected cross-site scripting vulnerability was found in sidekiq-unique-jobs version 8.0.6 (or earlier). We have reported this vulnerability to the developer, who addressed the issue and fixed the vulnerability in version 8.0.7.
Description
Sidekiq is used to manage and execute background jobs. Sidekiq Unique-Jobs is a gem that adds constraints to sidekiq jobs.
The following three filter functions where found to be susceptible to reflected cross-site scripting.
/sidekiq/locks?filter={payload}
/sidekiq/changelogs?filter={payload}
/sidekiq/expiring_locks?filter={payload}
In the following screenshot, the payload “><script>alert(document.domain)</script> was used in the ChangeLogs filter function to open a PoC pop-up that displays the current domain.
The locks functionality was found to be vulnerable in the following path:
/sidekiq/locks/{payload}An example payload would be
“><img src=a onerror=alert(document.domain)>This payload is injected into the HTML code in two places and therefore executed twice.
Assigned CVEs
https://nvd.nist.gov/vuln/detail/CVE-2023-46950
https://nvd.nist.gov/vuln/detail/CVE-2023-46951
Affected Component
Attack Type
Remote
Impact Code Execution
True
Attack vectors
To exploit the vulnerability, the user needs to click on a malicious link prepared by the attacker.
Reference
https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38
Discoverer
Mirko Richter (mgm security partners), Bình Văn Quốc Huỳnh (mgm security partners)