Home > Vulnerability Database > CVE-2024-25122

Mend.io Vulnerability Database

CVE-2024-25122

Good to know:

Date: February 13, 2024

sidekiq-unique-jobs is an open source project which prevents simultaneous Sidekiq jobs with the same unique arguments to run. Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in. 1. `/changelogs`, 2. `/locks` or 3. `/expiring_locks`. This issue has been addressed in versions 7.1.33 and 8.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Ruby

Severity Score

7.1

Related Resources (4)

Url: https://github.com/mhenrixon/sidekiq-unique-jobs/commit/ec3afd920c1b55843c72f748a87baac7f8be82ed

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-25122

Url: https://github.com/mhenrixon/sidekiq-unique-jobs/security/advisories/GHSA-cmh9-rx85-xj38

Url: https://www.mend.io/vulnerability-database/CVE-2024-25122

Severity Score

7.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version sidekiq-unique-jobs - 7.1.33,8.0.7

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-25122

Good to know:

Date: February 13, 2024

Language: Ruby

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?