Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Xxl\-Job
(Xuxueli)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 19 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-09-28 | CVE-2022-40929 | XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks. NOTE: this is disputed because the issues/4929 report is about an intended and supported use case (running arbitrary Bash scripts on behalf of users). | Xxl\-Job | 9.8 | ||
| 2024-02-08 | CVE-2024-24113 | xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. | Xxl\-Job | 8.8 | ||
| 2024-04-06 | CVE-2024-3366 | A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480. | Xxl\-Job | 9.8 | ||
| 2022-11-17 | CVE-2022-43183 | XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. | Xxl\-Job | 8.8 | ||
| 2023-03-21 | CVE-2023-27087 | Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter. | Xxl\-Job | 7.5 | ||
| 2023-04-10 | CVE-2023-26120 | This affects all versions of the package com.xuxueli:xxl-job. HTML uploaded payload executed successfully through /xxl-job-admin/user/add and /xxl-job-admin/user/update. | Xxl\-Job | 6.1 | ||
| 2023-05-26 | CVE-2023-33779 | A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/. | Xxl\-Job | 8.8 | ||
| 2020-09-03 | CVE-2020-23811 | xxl-job 2.2.0 allows Information Disclosure of username, model, and password via job/admin/controller/UserController.java. | Xxl\-Job | 7.5 | ||
| 2020-09-03 | CVE-2020-23814 | Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file. | Xxl\-Job | 6.1 | ||
| 2020-12-27 | CVE-2020-29204 | XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java. | Xxl\-Job | 6.1 |