Resque 1.27.4 - Multiple Reflected XSS in Resque Schedule Job


Date: 24/10/2022

Exploit Author: TrungVM of VietSunshine Cyber Security Services

Affected Version(s): Resque Scheduler version 1.27.4

Description: Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.

Steps to reproduce: An attacker sends a draft URL https://{IP]/resque/delayed/jobs/{schedule_job}?args={args_id} to a victim. When an authenticated victim opens a URL, XSS will be triggered.

Payload example:

  • Ex1: https://{IP]/resque/delayed/jobs/%3Csvg%20onload=alert(document.domain)

  • Ex2: https://{IP/resque/delayed/jobs/EventEmailSalesTeamBefore48hrsJob?args=[%2249213%3Cimg+src=x+onerror=alert(document.domain)%3E%22]

Last updated