XXL-JOB vulnerable to Server-Side Request Forgery
xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE.
Advisories for Maven/Com.xuxueli/Xxl-Job package
2024
2023
Cross-Site Request Forgery (CSRF)
Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This affects all versions of the package com.xuxueli:xxl-job. HTML uploaded payload executed successfully through /xxl-job-admin/user/add and /xxl-job-admin/user/update.
Xuxueli xxl-job allows attacker to obtain sensitive information via the pageList parameter
Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.
Cross-Site Request Forgery (CSRF)
A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220196.
2022
Server-Side Request Forgery (SSRF)
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.
Improper Neutralization of Special Elements used in a Command ('Command Injection')
XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks.
Improper Privilege Management
XXL-JOB all versions as of 11 July 2022 is vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
XXL-Job v2.3.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /xxl-job-admin/jobinfo.
xxl-job sensitive data exposure
xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controller/UserController.java.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.
Cross-Site Request Forgery (CSRF)
A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.