GHSA Sync: 4 brand new advisories

gems/resque-scheduler/CVE-2022-44303.yml

@@ -0,0 +1,44 @@
+---
+gem: resque-scheduler
+cve: 2022-44303
+ghsa: 9hmq-fm33-x4xx
+url: https://github.com/resque/resque-scheduler/security/advisories/GHSA-9hmq-fm33-x4xx
+title: Resque Scheduler Reflected XSS In Delayed Jobs View
+date: 2023-12-18
+description: |
+
+  ### Impact
+
+  Resque Scheduler version 1.27.4 and above are affected by a cross-site
+  scripting vulnerability. A remote attacker can inject javascript code
+  to the "{schedule_job}" or "args" parameter in
+  /resque/delayed/jobs/{schedule_job}?args={args_id} to execute
+   javascript at client side.
+
+  ### Patches
+
+  Fixed in v4.10.2
+
+  ### Workarounds
+
+  No known workarounds at this time. It is recommended to not click on
+  3rd party or untrusted links to the resque-web interface until you
+  have patched your application.
+
+  ### References
+  * https://nvd.nist.gov/vuln/detail/CVE-2022-44303
+  * https://github.com/resque/resque-scheduler/issues/761
+  * https://github.com/resque/resque/issues/1885
+  * https://github.com/resque/resque-scheduler/pull/780
+  * https://github.com/resque/resque-scheduler/pull/783
+cvss_v3: 6.3
+unaffected_versions:
+  - "< 1.27.4"
+patched_versions:
+  - ">= 4.10.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-44303
+    - https://github.com/resque/resque-scheduler/security/advisories/GHSA-9hmq-fm33-x4xx
+    - https://trungvm.gitbook.io/cves/resque/resque-1.27.4-multiple-reflected-xss-in-resque-schedule-job
+    - https://github.com/advisories/GHSA-9hmq-fm33-x4xx

gems/resque/CVE-2023-50724.yml

@@ -0,0 +1,37 @@
+---
+gem: resque
+cve: 2023-50724
+ghsa: r8xx-8vm8-x6wj
+url: https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj
+title: Resque vulnerable to Reflected Cross Site Scripting through pathnames
+date: 2023-12-18
+description: |
+  ### Impact
+
+  resque-web in resque versions before 2.1.0 is vulnerable to reflected
+  XSS through the current_queue parameter in the path of the queues endpoint.
+
+  ### Patches
+
+  v2.1.0
+
+  ### Workarounds
+
+  No known workarounds at this time. It is recommended to not click
+  on 3rd party or untrusted links to the resque-web interface until
+  you have patched your application.
+
+  ### References
+
+  https://github.com/resque/resque/issues/1679
+  https://github.com/resque/resque/pull/1687
+cvss_v3: 6.3
+patched_versions:
+  - ">= 2.1.0"
+related:
+  url:
+    - https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj
+    - https://github.com/resque/resque/issues/1679
+    - https://github.com/resque/resque/pull/1687
+    - https://github.com/resque/resque/commit/e8e2367fff6990d13109ec2483a456a05fbf9811
+    - https://github.com/advisories/GHSA-r8xx-8vm8-x6wj

gems/resque/CVE-2023-50725.yml

@@ -0,0 +1,40 @@
+---
+gem: resque
+cve: 2023-50725
+ghsa: gc3j-vvwf-4rp8
+url: https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8
+title: Resque vulnerable to reflected XSS in resque-web failed and queues lists
+date: 2023-12-18
+description: |
+  ### Impact
+
+  The following paths in resque-web have been found to be
+  vulnerable to reflected XSS:
+
+  ```
+  /failed/?class=<script>alert(document.cookie)</script>
+  /queues/><img src=a onerror=alert(document.cookie)>
+  ```
+
+  ### Patches
+
+  v2.2.1
+
+  ### Workarounds
+
+  No known workarounds at this time. It is recommended to not click
+  on 3rd party or untrusted links to the resque-web interface until
+  you have patched your application.
+
+  ### References
+
+  https://github.com/resque/resque/pull/1790
+cvss_v3: 6.3
+patched_versions:
+  - ">= 2.2.1"
+related:
+  url:
+    - https://github.com/resque/resque/security/advisories/GHSA-gc3j-vvwf-4rp8
+    - https://github.com/resque/resque/pull/1790
+    - https://github.com/resque/resque/commit/ee99d2ed6cc75d9d384483b70c2d96d312115f07
+    - https://github.com/advisories/GHSA-gc3j-vvwf-4rp8

gems/resque/CVE-2023-50727.yml

@@ -0,0 +1,35 @@
+---
+gem: resque
+cve: 2023-50727
+ghsa: r9mq-m72x-257g
+url: https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g
+title: Resque vulnerable to reflected XSS in Queue Endpoint
+date: 2023-12-18
+description: |
+  ### Impact
+
+  Reflected XSS can be performed using the current_queue portion of
+  the path on the /queues endpoint of resque-web.
+
+  ### Patches
+
+  v2.6.0
+
+  ### Workarounds
+
+  No known workarounds at this time. It is recommended to not click
+  on 3rd party or untrusted links to the resque-web interface until
+  you have patched your application.
+
+  ### References
+
+  https://github.com/resque/resque/pull/1865
+cvss_v3: 6.3
+patched_versions:
+  - ">= 2.6.0"
+related:
+  url:
+    - https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g
+    - https://github.com/resque/resque/pull/1865
+    - https://github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a
+    - https://github.com/advisories/GHSA-r9mq-m72x-257g