CVE-2022-44303
Description
Resque Scheduler version 1.27.4 is vulnerable to Cross-site scripting (XSS). A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
resque-schedulerRubyGems | >= 1.27.4, < 4.10.2 | 4.10.2 |
Affected products
2- Resque Scheduler/Resque Schedulerdescription
Patches
Vulnerability mechanics
Root cause
"Missing output encoding of user-controllable input in the delayed jobs web interface allows stored/reflected cross-site scripting."
Attack vector
An attacker can inject arbitrary JavaScript by crafting a malicious value for the `{schedule_job}` or `args` parameter in the URL `/resque/delayed/jobs/{schedule_job}?args={args_id}` [ref_id=1]. When a victim (typically an administrator or operator) visits that page, the injected script executes in their browser session. The attack requires no authentication beyond access to the resque-web interface, which is often exposed on internal networks or misconfigured to be publicly accessible.
Affected code
The advisory [ref_id=1] identifies the vulnerable endpoint as `/resque/delayed/jobs/{schedule_job}?args={args_id}`. The specific source file and line number are not disclosed in the bundle, but the vulnerability lies in the web view that renders the delayed job details without escaping the job name or arguments.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide a specific fix commit or remediation guidance. To close the vulnerability, the application must properly escape or sanitize the `{schedule_job}` and `args` parameters before rendering them in the HTML response, neutralizing any HTML/JavaScript content (e.g., by using ERB's `h()` helper or equivalent output encoding).
Preconditions
- inputThe attacker must be able to craft a URL containing malicious JavaScript in the {schedule_job} or args parameter.
- networkA victim with access to the resque-web interface must visit the crafted URL.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9hmq-fm33-x4xxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-44303ghsaADVISORY
- github.com/resque/resque-scheduler/security/advisories/GHSA-9hmq-fm33-x4xxghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/resque-scheduler/CVE-2022-44303.ymlghsaWEB
- trungvm.gitbook.io/cves/resque/resque-1.27.4-multiple-reflected-xss-in-resque-schedule-jobghsaWEB
- resque.commitre
News mentions
0No linked articles in our index yet.