CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42681
https://notcve.org/view.php?id=CVE-2024-42681
15 Aug 2024 — Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component. • https://github.com/xuxueli/xxl-job/issues/3516 • CWE-277: Insecure Inherited Permissions •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-3366 – Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection
https://notcve.org/view.php?id=CVE-2024-3366
06 Apr 2024 — A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480. • https://github.com/xuxueli/xxl-job/issues/3391 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24113
https://notcve.org/view.php?id=CVE-2024-24113
08 Feb 2024 — xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. xxl-job =< 2.4.1 tiene una vulnerabilidad de Server-Side Request Forgery (SSRF), que hace que los usuarios con pocos privilegios controlen el ejecutor de RCE. • https://github.com/xuxueli/xxl-job/issues/3375 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48088
https://notcve.org/view.php?id=CVE-2023-48088
15 Nov 2023 — xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage. xxl-job-admin 2.4.0 es vulnerable a Cross Site Scripting (XSS) a través de /xxl-job-admin/joblog/logDetailPage. • https://github.com/xuxueli/xxl-job/issues/3329 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48087
https://notcve.org/view.php?id=CVE-2023-48087
15 Nov 2023 — xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job-admin/joblog/clearLog and /xxl-job-admin/joblog/logDetailCat. xxl-job-admin 2.4.0 es vulnerable a permisos inseguros a través de /xxl-job-admin/joblog/clearLog y /xxl-job-admin/joblog/logDetailCat. • https://github.com/xuxueli/xxl-job/issues/3330 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48089
https://notcve.org/view.php?id=CVE-2023-48089
15 Nov 2023 — xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save. xxl-job-admin 2.4.0 es vulnerable a la ejecución remota de código (RCE) a través de /xxl-job-admin/jobcode/save. • https://github.com/xuxueli/xxl-job/issues/3333 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24922
https://notcve.org/view.php?id=CVE-2020-24922
11 Aug 2023 — Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en xxl-job-admin/user/add de xuxueli xxl-job versión 2.2.0 permite a atacantes remotos ejecutar código arbitrario y escalar privilegios a través de un archivo .html manipulado. • https://github.com/xuxueli/xxl-job/issues/1921 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33779
https://notcve.org/view.php?id=CVE-2023-33779
26 May 2023 — A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/. • http://xxl-job.com • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26120
https://notcve.org/view.php?id=CVE-2023-26120
10 Apr 2023 — This affects all versions of the package com.xuxueli:xxl-job. HTML uploaded payload executed successfully through /xxl-job-admin/user/add and /xxl-job-admin/user/update. • https://security.snyk.io/vuln/SNYK-JAVA-COMXUXUELI-3248764 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-27087
https://notcve.org/view.php?id=CVE-2023-27087
21 Mar 2023 — Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter. • https://github.com/xuxueli/xxl-job/issues/3096 •