CVE-2024-25122: 
Ruby vulnerability analysis and mitigation

CVE-2024-25122 affects sidekiq-unique-jobs, an open source project that prevents simultaneous Sidekiq jobs with the same unique arguments from running. The vulnerability was discovered and disclosed on February 13, 2024, affecting versions prior to 7.1.33 and 8.0.7. This is a Cross-Site Scripting (XSS) vulnerability in the admin web UI that could potentially expose sensitive data (GitHub Advisory).

The vulnerability is classified as a Reflected (Server-Side), Non-Self, Cross-Site Scripting vulnerability. It affects three specific endpoints in the admin web UI: '/changelogs', '/locks', and '/expiring_locks'. The issue stems from unsanitized GET request parameters that allow execution of malicious code. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (GitHub Advisory, NVD).

The vulnerability could allow attackers to steal cookies, session data, or local storage data from the application where the sidekiq-unique-jobs web UI is mounted. This is particularly critical for implementations that haven't configured the UI on a sandboxed subdomain, making all their sensitive data vulnerable to exposure (GitHub Advisory).

The vulnerability has been patched in versions 7.1.33 and 8.0.7. Users are strongly advised to upgrade to these or later versions. Additionally, it is recommended to configure authorization constraints on the admin UI, as it is not protected by any authorization constraint in the default configuration (GitHub Advisory, GitHub Patch).