CVE-2020-24922

Vulnerability

Overview

Cross-Site Request Forgery (CSRF) vulnerability exists in the xxl-job-admin/user/add endpoint of xuxueli XXL-JOB version 2.2.0. The application fails to implement anti-CSRF tokens or origin validation on the user creation form, allowing an attacker to forge requests that add new administrator accounts without the victim's consent [1][2].

Attack

Vector

An authenticated administrator must visit a malicious HTML page crafted by the attacker. The page contains a hidden form that automatically submits a POST request to the vulnerable endpoint, supplying parameters such as username, password, role, and permission. Since the victim's browser includes session cookies, the forged request is processed as legitimate [3]. No special privileges or network position are required beyond enticing the administrator to the malicious page.

Impact

Successful exploitation allows the attacker to create a new admin account (test1 with role 0 meaning administrator and permission 1), granting full control over the XXL-JOB scheduling platform. This can lead to arbitrary job execution, data exfiltration, and lateral movement within the affected infrastructure.

Mitigation

The issue was publicly disclosed in the project's issue tracker [3], but as of the report date no official patch was confirmed for version 2.2.0. Upgrading to a later version or implementing CSRF protections such as synchronizer tokens, same-site cookies, or referrer checks is strongly advised.