CVE-2023-46950: 
Ruby vulnerability analysis and mitigation

A Cross Site Scripting (XSS) vulnerability was discovered in Contribsys Sidekiq v.6.5.8, identified as CVE-2023-46950. The vulnerability allows remote attackers to obtain sensitive information through crafted URLs to the filter functions. The issue was discovered in early 2024 and fixed with the release of sidekiq-unique-jobs versions 8.0.7 and 7.1.33 (GitHub Advisory).

The vulnerability is specifically a Reflected (Server-Side), Non-Self Cross Site Scripting vulnerability affecting multiple endpoints in the sidekiq-unique-jobs' admin web UI, including /changelogs, /locks, and /expiring_locks. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory, NVD).

The vulnerability could allow attackers to potentially steal cookies, session data, or local storage data from the application where the sidekiq-unique-jobs web UI is mounted. This is particularly concerning for users who haven't configured the UI on a sandboxed subdomain, making all their cookies, localStorage data and session secrets vulnerable to exposure (GitHub Advisory).

The vulnerability has been patched in sidekiq-unique-jobs versions 8.0.7 and 7.1.33. Users are strongly recommended to upgrade to these or later versions. Additionally, it is recommended to configure authorization constraints on the admin UI, as it is not protected by any authorization constraint in the default configuration (GitHub Advisory).