CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-3366 – Xuxueli xxl-job Template JdkSerializeTool.java deserialize injection
https://notcve.org/view.php?id=CVE-2024-3366
06 Apr 2024 — A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480. • https://github.com/xuxueli/xxl-job/issues/3391 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24113
https://notcve.org/view.php?id=CVE-2024-24113
08 Feb 2024 — xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. xxl-job =< 2.4.1 tiene una vulnerabilidad de Server-Side Request Forgery (SSRF), que hace que los usuarios con pocos privilegios controlen el ejecutor de RCE. • https://github.com/xuxueli/xxl-job/issues/3375 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33779
https://notcve.org/view.php?id=CVE-2023-33779
26 May 2023 — A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/. • http://xxl-job.com • CWE-863: Incorrect Authorization •