CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0674 – XXL-JOB New Password updatePwd cross-site request forgery
https://notcve.org/view.php?id=CVE-2023-0674
04 Feb 2023 — A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/boyi0508/xxl-job-explain/blob/main/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43183
https://notcve.org/view.php?id=CVE-2022-43183
17 Nov 2022 — XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. XXL-Job anterior a v2.3.1 contiene un Server-Side Request Forgery (SSRF) a través del componente /admin/controller/JobLogController.java. • https://github.com/xuxueli/xxl-job/issues/3002 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40929
https://notcve.org/view.php?id=CVE-2022-40929
28 Sep 2022 — XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks. NOTE: this is disputed because the issues/4929 report is about an intended and supported use case (running arbitrary Bash scripts on behalf of users). XXL-JOB versión 2.2.0, presenta una vulnerabilidad de ejecución de Comandos en tareas de fondo • https://github.com/xuxueli/xxl-job/issues/2979 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36157
https://notcve.org/view.php?id=CVE-2022-36157
19 Aug 2022 — XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account. XXL-JOB todas las versiones a partir del 11 de julio de 2022, son vulnerables a Permisos Inseguros resultando en una capacidad de ejecutar la función de administrador con una cuenta de bajo Privilegio. • https://github.com/Richard-Muzi/vulnerability/issues/1 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29770
https://notcve.org/view.php?id=CVE-2022-29770
03 Jun 2022 — XXL-Job v2.3.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /xxl-job-admin/jobinfo. Se ha detectado que XXL-Job versión v2.3.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio de /xxl-job-admin/jobinfo • https://github.com/xuxueli/xxl-job/issues/2836 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29002
https://notcve.org/view.php?id=CVE-2022-29002
23 May 2022 — A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en XXL-Job versión v2.3.0, permite a atacantes crear arbitrariamente cuentas de administrador por medio del componente /gaia-job-admin/user/add • https://github.com/xuxueli/xxl-job/issues/2821 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29204
https://notcve.org/view.php?id=CVE-2020-29204
27 Dec 2020 — XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. XXL-JOB versión 2.2.0, permite un ataque de tipo XSS Almacenado (en Add User) para omitir el límite de 20 caracteres por medio del archivo xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java • https://github.com/xuxueli/xxl-job/issues/2083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23814
https://notcve.org/view.php?id=CVE-2020-23814
03 Sep 2020 — Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file. Múltiples vulnerabilidades de cross-site scripting (XSS) en xxl-job versión v2.2.0, permiten a atacantes remotos inyectar scripts web o HTML arbitrario por medio de (1) AppName y (2) el parámetro AddressList en el archivo JobGroupController.java • https://github.com/xuxueli/xxl-job/issues/1866 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-23811
https://notcve.org/view.php?id=CVE-2020-23811
03 Sep 2020 — xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controller/UserController.java. xxl-job versión 2.2.0, permite la divulgación de información de nombre de usuario, modelo y contraseña por medio del job/admin/controller/UserController.java • https://www.ccsq8.com/issues.html •