CVE-2022-29770

Vulnerability

XXL-Job v2.3.0, a distributed task scheduling framework, contains a stored cross-site scripting (XSS) vulnerability in the task management interface. The vulnerability exists in the /xxl-job-admin/jobinfo endpoint, where user-supplied input is not properly sanitized before being stored and later rendered in the admin panel. This allows an attacker to inject arbitrary JavaScript code that will execute in the context of other administrators viewing the affected task information. [1][2][3]

Exploitation

An attacker with access to the XXL-Job admin panel (typically requiring authentication) can create or edit a task and inject malicious script into fields such as job description or other input fields that are stored and displayed. The injected script will be executed when an administrator views the task list or details page. No additional user interaction beyond viewing the page is required. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any administrator who accesses the affected task management page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is stored, meaning the payload persists and affects all subsequent viewers. [2][3]

Mitigation

As of the available references, no official patch or fixed version has been released for this vulnerability. Users are advised to apply input validation and output encoding on the /xxl-job-admin/jobinfo endpoint, or restrict access to the admin panel to trusted users only. The vendor has been notified via the GitHub issue tracker. [2]