CVE-2024-32887

Name of the Vulnerable Software and Affected Versions: Sidekiq versions prior to 7.2.4

Description: The issue is related to a reflected XSS vulnerability in Sidekiq, where the value of the substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. This could potentially compromise user accounts, force users to perform sensitive actions, steal sensitive data, perform CORS attacks, or deface the web application. If other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise.

Recommendations: To resolve the issue, update to version 7.2.4 or later. As a temporary workaround, consider encoding all output data before rendering it in the response to prevent XSS attacks. Restrict access to the Sidekiq Web UI to minimize the risk of exploitation. Avoid using the substr parameter in the affected API endpoint until the issue is resolved.