Sidekiq-Cron Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Sidekiq-Cron versions through 2.3.1. This issue allows an attacker to execute malicious scripts by sending a crafted URL that is processed by the Sidekiq-Cron 'admin' web UI. The vulnerability could be exploited to steal cookies, session data, or local storage information from the application where the Sidekiq-Cron web UI is active.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute scripts in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a GET request to the Sidekiq-Cron 'admin' web UI with crafted parameters that include malicious JavaScript. This can be done by embedding the script in HTML tags, such as an image tag with an 'onerror' event. The malicious script will be executed when the link is clicked, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Sidekiq-Cron version 2.4.0, which addresses this vulnerability by fixing the underlying issue and removing the ability to inject malicious scripts.