Improper Preservation of Permissions in xxl-job
Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.
Advisories for Maven/Com.xuxueli/Xxl-Job-Core package
2024
Xuxueli xxl-job template injection vulnerability
A vulnerability classified as problematic was found in Xuxueli xxl-job version 2.4.0. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480.
2022
Server-Side Request Forgery (SSRF)
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.
Improper Neutralization of Special Elements used in a Command ('Command Injection')
XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks.
2021
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java.