CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24113
https://notcve.org/view.php?id=CVE-2024-24113
08 Feb 2024 — xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. xxl-job =< 2.4.1 tiene una vulnerabilidad de Server-Side Request Forgery (SSRF), que hace que los usuarios con pocos privilegios controlen el ejecutor de RCE. • https://github.com/xuxueli/xxl-job/issues/3375 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24922
https://notcve.org/view.php?id=CVE-2020-24922
11 Aug 2023 — Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en xxl-job-admin/user/add de xuxueli xxl-job versión 2.2.0 permite a atacantes remotos ejecutar código arbitrario y escalar privilegios a través de un archivo .html manipulado. • https://github.com/xuxueli/xxl-job/issues/1921 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-27087
https://notcve.org/view.php?id=CVE-2023-27087
21 Mar 2023 — Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter. • https://github.com/xuxueli/xxl-job/issues/3096 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0674 – XXL-JOB New Password updatePwd cross-site request forgery
https://notcve.org/view.php?id=CVE-2023-0674
04 Feb 2023 — A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/boyi0508/xxl-job-explain/blob/main/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43183
https://notcve.org/view.php?id=CVE-2022-43183
17 Nov 2022 — XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. XXL-Job anterior a v2.3.1 contiene un Server-Side Request Forgery (SSRF) a través del componente /admin/controller/JobLogController.java. • https://github.com/xuxueli/xxl-job/issues/3002 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40929
https://notcve.org/view.php?id=CVE-2022-40929
28 Sep 2022 — XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks. NOTE: this is disputed because the issues/4929 report is about an intended and supported use case (running arbitrary Bash scripts on behalf of users). XXL-JOB versión 2.2.0, presenta una vulnerabilidad de ejecución de Comandos en tareas de fondo • https://github.com/xuxueli/xxl-job/issues/2979 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36157
https://notcve.org/view.php?id=CVE-2022-36157
19 Aug 2022 — XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account. XXL-JOB todas las versiones a partir del 11 de julio de 2022, son vulnerables a Permisos Inseguros resultando en una capacidad de ejecutar la función de administrador con una cuenta de bajo Privilegio. • https://github.com/Richard-Muzi/vulnerability/issues/1 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29770
https://notcve.org/view.php?id=CVE-2022-29770
03 Jun 2022 — XXL-Job v2.3.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /xxl-job-admin/jobinfo. Se ha detectado que XXL-Job versión v2.3.0, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio de /xxl-job-admin/jobinfo • https://github.com/xuxueli/xxl-job/issues/2836 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29002
https://notcve.org/view.php?id=CVE-2022-29002
23 May 2022 — A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en XXL-Job versión v2.3.0, permite a atacantes crear arbitrariamente cuentas de administrador por medio del componente /gaia-job-admin/user/add • https://github.com/xuxueli/xxl-job/issues/2821 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29204
https://notcve.org/view.php?id=CVE-2020-29204
27 Dec 2020 — XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. XXL-JOB versión 2.2.0, permite un ataque de tipo XSS Almacenado (en Add User) para omitir el límite de 20 caracteres por medio del archivo xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java • https://github.com/xuxueli/xxl-job/issues/2083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •