VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 3, 2020· Updated Aug 4, 2024

CVE-2020-23814

CVE-2020-23814

Description

Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XXL-JOB v2.2.0 contains stored XSS vulnerabilities in the executor management module via AppName and AddressList parameters.

Vulnerability

Description

CVE-2020-23814 describes multiple stored cross-site scripting (XSS) vulnerabilities in XXL-JOB v2.2.0, an open-source distributed task scheduler. The flaws exist in the JobGroupController.java file, where the AppName and AddressList parameters are not properly sanitized or encoded before being stored and later rendered on the page [1]. This allows a remote attacker to inject arbitrary web script or HTML, which will be executed in the context of the victim's browser session.

Exploitation

An attacker with access to the executor management interface can submit crafted payloads via the AppName or AddressList fields. While front-end validation may exist, it can be bypassed by intercepting and modifying the HTTP request with a tool like Burp Suite [3]. The backend code only performed length validation prior to the fix, with no filtering of HTML tags or JavaScript. For example, a payload such as <img/src=# onerror="alert(1)"/> can be stored in the AppName field [3]. Notably, the affected page automatically reloads every 60 seconds, triggering the stored XSS payload repeatedly without requiring user interaction beyond accessing the page.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the administrator's browser. This could be leveraged to steal session cookies, perform actions impersonating the administrator, deface the interface, or redirect victims to malicious sites. As the scheduler dashboard is typically accessible to administrators, the impact is limited to users with privileges to manage executor groups; however, any stored XSS that targets administrative accounts can lead to broader compromise of the scheduler system.

Mitigation

The vulnerability was addressed in commit 2276285, part of the XXL-JOB v2.2.0 development branch [2]. The fix adds server-side input validation to block the < and > characters in the AppName and Title fields, preventing injection of HTML tags. Users are strongly advised to upgrade to the latest patched version. As of the publication date, no evidence of exploitation in the wild has been documented, but the vulnerability is trivial to exploit and should be remediated promptly.

References
  1. NVD - CVE-2020-23814
  2. 调度中心页面交互优化:用户管理模块密码列取消;多处表达autocomplete取消;执行器管理模块XSS拦截校验等; · xuxueli/xxl-job@2276285
  3. v2.2.0 Stored XSS vulnerabilities

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.xuxueli:xxl-jobMaven
< 2.3.02.3.0

Affected products

2

Patches

1
227628567354

调度中心页面交互优化:用户管理模块密码列取消;多处表达autocomplete取消;执行器管理模块XSS拦截校验等;

https://github.com/xuxueli/xxl-jobxueli.xueOct 30, 2020via ghsa
commit
6 files changed · +25 6
  • doc/XXL-JOB官方文档.md+2 0 modified
    @@ -2062,9 +2062,11 @@ data: post-data
 - 16、调度中心组件加载顺序优化,修复极端情况下调度组件初始慢导致的调度失败问题;
 - 17、执行器注册线程优化,修复极端情况下初始化失败时导致NPE问题;
 - 18、执行器Commandhandler示例任务优化,修复极端情况下脚本进程挂起问题;
+- 19、调度中心页面交互优化:用户管理模块密码列取消;多处表达autocomplete取消;执行器管理模块XSS拦截校验等;
 - 19、[ING]任务触发参数优化:支持选择 "Cron触发"、"固定间隔时间触发"、"指定时间点触发"、"不选择" 等;
 - 20、[ING]任务 misfire 策略:忽略、补偿一次、补偿最近10次……等;
 - 21、[规划中]执行器注册,异步写入;
+- 22、[规划中]默认开启访问令牌鉴权;
 
 
 ### 7.32 版本 v2.3.0 Release Notes[规划中]
  • xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobGroupController.java+10 0 modified
    @@ -68,13 +68,23 @@ public ReturnT<String> save(XxlJobGroup xxlJobGroup){
 		if (xxlJobGroup.getAppname().length()<4 || xxlJobGroup.getAppname().length()>64) {
 			return new ReturnT<String>(500, I18nUtil.getString("jobgroup_field_appname_length") );
 		}
+		if (xxlJobGroup.getAppname().contains(">") || xxlJobGroup.getAppname().contains("<")) {
+			return new ReturnT<String>(500, "AppName"+I18nUtil.getString("system_unvalid") );
+		}
 		if (xxlJobGroup.getTitle()==null || xxlJobGroup.getTitle().trim().length()==0) {
 			return new ReturnT<String>(500, (I18nUtil.getString("system_please_input") + I18nUtil.getString("jobgroup_field_title")) );
 		}
+		if (xxlJobGroup.getTitle().contains(">") || xxlJobGroup.getTitle().contains("<")) {
+			return new ReturnT<String>(500, I18nUtil.getString("jobgroup_field_title")+I18nUtil.getString("system_unvalid") );
+		}
 		if (xxlJobGroup.getAddressType()!=0) {
 			if (xxlJobGroup.getAddressList()==null || xxlJobGroup.getAddressList().trim().length()==0) {
 				return new ReturnT<String>(500, I18nUtil.getString("jobgroup_field_addressType_limit") );
 			}
+			if (xxlJobGroup.getAddressList().contains(">") || xxlJobGroup.getAddressList().contains("<")) {
+				return new ReturnT<String>(500, I18nUtil.getString("jobgroup_field_registryList")+I18nUtil.getString("system_unvalid") );
+			}
+
 			String[] addresss = xxlJobGroup.getAddressList().split(",");
 			for (String item: addresss) {
 				if (item==null || item.trim().length()==0) {
  • xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java+7 0 modified
    @@ -56,6 +56,13 @@ public Map<String, Object> pageList(@RequestParam(required = false, defaultValue
         List<XxlJobUser> list = xxlJobUserDao.pageList(start, length, username, role);
         int list_count = xxlJobUserDao.pageListCount(start, length, username, role);
 
+        // filter
+        if (list!=null && list.size()>0) {
+            for (XxlJobUser item: list) {
+                item.setPassword(null);
+            }
+        }
+
         // package result
         Map<String, Object> maps = new HashMap<String, Object>();
         maps.put("recordsTotal", list_count);		// 总记录数
  • xxl-job-admin/src/main/resources/static/js/user.index.1.js+1 1 modified
    @@ -33,7 +33,7 @@ $(function() {
 					},
 	                {
 	                	"data": 'password',
-						"visible" : true,
+						"visible" : false,
                         "width":'20%',
                         "render": function ( data, type, row ) {
                             return '*********';
  • xxl-job-admin/src/main/resources/templates/jobgroup/jobgroup.index.ftl+2 2 modified
    @@ -28,13 +28,13 @@
                 <div class="col-xs-3">
                     <div class="input-group">
                         <span class="input-group-addon">AppName</span>
-                        <input type="text" class="form-control" id="appname" autocomplete="on" placeholder="${I18n.system_please_input}AppName" >
+                        <input type="text" class="form-control" id="appname" placeholder="${I18n.system_please_input}AppName" >
                     </div>
                 </div>
                 <div class="col-xs-3">
                     <div class="input-group">
                         <span class="input-group-addon">${I18n.jobgroup_field_title}</span>
-                        <input type="text" class="form-control" id="title" autocomplete="on" placeholder="${I18n.jobgroup_field_title}" >
+                        <input type="text" class="form-control" id="title" placeholder="${I18n.jobgroup_field_title}" >
                     </div>
                 </div>
                 <div class="col-xs-2">
  • xxl-job-admin/src/main/resources/templates/jobinfo/jobinfo.index.ftl+3 3 modified
    @@ -46,17 +46,17 @@
                 </div>
                 <div class="col-xs-2">
                     <div class="input-group">
-                        <input type="text" class="form-control" id="jobDesc" autocomplete="on" placeholder="${I18n.system_please_input}${I18n.jobinfo_field_jobdesc}" >
+                        <input type="text" class="form-control" id="jobDesc" placeholder="${I18n.system_please_input}${I18n.jobinfo_field_jobdesc}" >
                     </div>
                 </div>
                 <div class="col-xs-2">
                     <div class="input-group">
-                        <input type="text" class="form-control" id="executorHandler" autocomplete="on" placeholder="${I18n.system_please_input}JobHandler" >
+                        <input type="text" class="form-control" id="executorHandler" placeholder="${I18n.system_please_input}JobHandler" >
                     </div>
                 </div>
                 <div class="col-xs-2">
                     <div class="input-group">
-                        <input type="text" class="form-control" id="author" autocomplete="on" placeholder="${I18n.system_please_input}${I18n.jobinfo_field_author}" >
+                        <input type="text" class="form-control" id="author" placeholder="${I18n.system_please_input}${I18n.jobinfo_field_author}" >
                     </div>
                 </div>
 	            <div class="col-xs-1">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.