CVE-2021-30151

Name	CVE-2021-30151
Description	Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when Internet Explorer is used.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2943-1, DLA-3360-1
Debian Bugs	987354

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby-sidekiq (PTS)	buster	5.2.3+dfsg-1	vulnerable
	buster (security)	5.2.3+dfsg-1+deb10u1	fixed
	bullseye	6.0.4+dfsg-2	vulnerable
	bookworm	6.4.1+dfsg-1	fixed
	sid, trixie	6.5.7+dfsg3-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
ruby-sidekiq	source	stretch	4.2.3+dfsg-1+deb9u1	DLA-2943-1
ruby-sidekiq	source	buster	5.2.3+dfsg-1+deb10u1	DLA-3360-1
ruby-sidekiq	source	(unstable)	6.3.1+dfsg-1		987354

Notes

[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
https://github.com/mperham/sidekiq/issues/4852
https://github.com/mperham/sidekiq/commit/64f70339d1dcf50a55c00d36bfdb61d97ec63ed8 (v6.2.1)