CVE-2022-29002

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in XXL-Job v2.3.0, specifically in the /gaia-job-admin/user/add endpoint, which allows attackers to create arbitrary administrator accounts without proper origin validation. The affected version is v2.3.0 as reported in the official repository [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page or email that triggers an authenticated admin user's browser to send a forged request to the vulnerable endpoint. The attacker does not require any authentication but relies on the victim having an active session. The proof-of-concept (POC) provided in the GitHub issue [3] demonstrates a simple HTML form that, when clicked, sends a POST request to create an admin account with user-controlled parameters.

Impact

Successful exploitation allows an attacker to create a new administrator account with full privileges in XXL-Job. This leads to complete compromise of the task scheduling platform, enabling unauthorized task execution, modification of jobs, and access to sensitive data.

Mitigation

As of the publication date, no official patched version has been released. The vendor has been notified via the GitHub issue [3], but no fix is confirmed. Mitigation options include implementing additional CSRF protections (e.g., anti-CSRF tokens), restricting access to the admin interface to trusted networks only, and ensuring that no unintended users have access to the application.