HTML Injection Vulnerability in XXL-JOB by Xuxueli
CVE-2023-26120

6.1MEDIUM

Key Information:

Vendor: Xuxueli
Status: Com.xuxueli:xxl-job
Vendor: CVE Published:; 10 April 2023

What is CVE-2023-26120?

A vulnerability has been identified in the XXL-JOB component developed by Xuxueli, affecting all versions of the package com.xuxueli:xxl-job. The vulnerability allows for HTML payloads to be uploaded and executed through the /xxl-job-admin/user/add and /xxl-job-admin/user/update endpoints, potentially compromising the integrity of the application and exposing sensitive data.

Affected Version(s)

com.xuxueli:xxl-job 0

References

https://security.snyk.io/vuln/SNYK-JAVA-COMXUXUELI-3248764

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2023
Vulnerability Reserved
Feb 20, 2023

Credit

Muhamad Zaenul Hasan Basri