CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24113
https://notcve.org/view.php?id=CVE-2024-24113
08 Feb 2024 — xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. xxl-job =< 2.4.1 tiene una vulnerabilidad de Server-Side Request Forgery (SSRF), que hace que los usuarios con pocos privilegios controlen el ejecutor de RCE. • https://github.com/xuxueli/xxl-job/issues/3375 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24922
https://notcve.org/view.php?id=CVE-2020-24922
11 Aug 2023 — Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en xxl-job-admin/user/add de xuxueli xxl-job versión 2.2.0 permite a atacantes remotos ejecutar código arbitrario y escalar privilegios a través de un archivo .html manipulado. • https://github.com/xuxueli/xxl-job/issues/1921 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-27087
https://notcve.org/view.php?id=CVE-2023-27087
21 Mar 2023 — Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter. • https://github.com/xuxueli/xxl-job/issues/3096 •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43183
https://notcve.org/view.php?id=CVE-2022-43183
17 Nov 2022 — XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. XXL-Job anterior a v2.3.1 contiene un Server-Side Request Forgery (SSRF) a través del componente /admin/controller/JobLogController.java. • https://github.com/xuxueli/xxl-job/issues/3002 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40929
https://notcve.org/view.php?id=CVE-2022-40929
28 Sep 2022 — XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks. NOTE: this is disputed because the issues/4929 report is about an intended and supported use case (running arbitrary Bash scripts on behalf of users). XXL-JOB versión 2.2.0, presenta una vulnerabilidad de ejecución de Comandos en tareas de fondo • https://github.com/xuxueli/xxl-job/issues/2979 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36157
https://notcve.org/view.php?id=CVE-2022-36157
19 Aug 2022 — XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account. XXL-JOB todas las versiones a partir del 11 de julio de 2022, son vulnerables a Permisos Inseguros resultando en una capacidad de ejecutar la función de administrador con una cuenta de bajo Privilegio. • https://github.com/Richard-Muzi/vulnerability/issues/1 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29204
https://notcve.org/view.php?id=CVE-2020-29204
27 Dec 2020 — XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. XXL-JOB versión 2.2.0, permite un ataque de tipo XSS Almacenado (en Add User) para omitir el límite de 20 caracteres por medio del archivo xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java • https://github.com/xuxueli/xxl-job/issues/2083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23814
https://notcve.org/view.php?id=CVE-2020-23814
03 Sep 2020 — Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file. Múltiples vulnerabilidades de cross-site scripting (XSS) en xxl-job versión v2.2.0, permiten a atacantes remotos inyectar scripts web o HTML arbitrario por medio de (1) AppName y (2) el parámetro AddressList en el archivo JobGroupController.java • https://github.com/xuxueli/xxl-job/issues/1866 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-23811
https://notcve.org/view.php?id=CVE-2020-23811
03 Sep 2020 — xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controller/UserController.java. xxl-job versión 2.2.0, permite la divulgación de información de nombre de usuario, modelo y contraseña por medio del job/admin/controller/UserController.java • https://www.ccsq8.com/issues.html •