> For the complete documentation index, see [llms.txt](https://trungvm.gitbook.io/cves/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://trungvm.gitbook.io/cves/resque/resque-1.27.4-multiple-reflected-xss-in-resque-schedule-job.md).

# Resque 1.27.4 - Multiple Reflected XSS in Resque Schedule Job

## **CVE-2022-44303**

**Date:** 24/10/2022

**Exploit Author:** TrungVM of VietSunshine Cyber Security Services

**Affected Version(s):** Resque Scheduler version 1.27.4&#x20;

**Description:** Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "**{schedule\_job}**" or "**args**" parameter in */resque/delayed/jobs/{schedule\_job}?args={args\_id}* to execute javascript at client side.

**Steps to reproduce:**  An attacker sends a draft URL *https\://{IP]/resque/delayed/jobs/{schedule\_job}?args={args\_id}* to a victim. When an authenticated victim opens a URL, XSS will be triggered.

**Payload example:**

* **Ex1:** *https\://{IP]/resque/delayed/jobs/%3Csvg%20onload=alert(document.domain)*
* **Ex2:** *https\://{IP/resque/delayed/jobs/EventEmailSalesTeamBefore48hrsJob?args=\[%2249213%3Cimg+src=x+onerror=alert(document.domain)%3E%22]*
