CVE-2021-30151

Name	CVE-2021-30151
Description	Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2943-1, DLA-3360-1
Debian Bugs	987354

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby-sidekiq (PTS)	jessie	3.2.6~dfsg-1	vulnerable
	stretch (security), stretch (lts), stretch	4.2.3+dfsg-1+deb9u1	fixed
	buster (security), buster, buster (lts)	5.2.3+dfsg-1+deb10u1	fixed
	bullseye	6.0.4+dfsg-2	vulnerable
	bookworm	6.4.1+dfsg-1	fixed
	sid, trixie	7.3.2+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ruby-sidekiq	source	jessie	(unfixed)	end-of-life
ruby-sidekiq	source	stretch	4.2.3+dfsg-1+deb9u1		DLA-2943-1
ruby-sidekiq	source	buster	5.2.3+dfsg-1+deb10u1		DLA-3360-1
ruby-sidekiq	source	(unstable)	6.3.1+dfsg-1			987354

Notes

[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
https://github.com/mperham/sidekiq/issues/4852
https://github.com/mperham/sidekiq/commit/64f70339d1dcf50a55c00d36bfdb61d97ec63ed8 (v6.2.1)