CVE-2023-50725: 
Ruby vulnerability analysis and mitigation

Resque, a Redis-backed Ruby library for creating background jobs, was found to contain a reflected Cross-Site Scripting (XSS) vulnerability in versions prior to 2.2.1. The vulnerability was discovered in the resque-web interface, specifically affecting the failed and queues list paths. This security issue was assigned CVE-2023-50725 and was disclosed on December 18, 2023 (GitHub Advisory).

The vulnerability exists in two specific paths of the resque-web interface: '/failed/?class=alert(document.cookie)' and '/queues/>'. The issue stems from insufficient HTML escaping of user-supplied parameters in these paths, allowing for reflected XSS attacks. The vulnerability received a CVSS v3.1 base score of 6.1 (Medium) from NVD and 6.3 (Medium) from GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (NVD).

A successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the affected paths. This could potentially lead to cookie theft, session hijacking, or other client-side attacks against users of the resque-web interface (GitHub Advisory).

The vulnerability has been patched in Resque version 2.2.1. Until the patch can be applied, it is recommended not to click on third-party or untrusted links to the resque-web interface. No other workarounds are available (GitHub Advisory).