CVE-2022-44303 (resque-scheduler): Resque Scheduler Reflected XSS In Delayed Jobs View

Ruby Security Advisory

### Impact

Resque Scheduler version 1.27.4 and above are affected by a cross-site
scripting vulnerability. A remote attacker can inject javascript code
to the “{schedule_job}” or “args” parameter in
/resque/delayed/jobs/{schedule_job}?args={args_id} to execute
javascript at client side.

### Patches

Fixed in v4.10.2

### Workarounds

No known workarounds at this time. It is recommended to not click on
3rd party or untrusted links to the resque-web interface until you
have patched your application.

### References
* https://nvd.nist.gov/vuln/detail/CVE-2022-44303
* https://github.com/resque/resque-scheduler/issues/761
* https://github.com/resque/resque/issues/1885
* https://github.com/resque/resque-scheduler/pull/780
* https://github.com/resque/resque-scheduler/pull/783

READ MORE