XXL-JOB New Password updatePwd cross-site request forgery

Vulnerability

Analysis

CVE-2023-0674 identifies a cross-site request forgery (CSRF) vulnerability in XXL-JOB version 2.3.1. The flaw resides in the /user/updatePwd endpoint of the New Password Handler component. The application fails to implement CSRF tokens or other anti-forgery protections, making it possible for an attacker to trick an authenticated user into unknowingly submitting a password change request [1][2].

Exploitation

The attack is remotely exploitable. An attacker can craft a malicious web page or link that, when visited by an authenticated XXL-JOB user (e.g., via social engineering), triggers a password update to a value chosen by the attacker. No direct authentication on the part of the attacker is required; the victim's active session is sufficient. The exploit details have been publicly disclosed, increasing the risk of real-world attacks [2].

Impact

Successful exploitation allows the attacker to change the victim's account password, potentially leading to unauthorized access to the XXL-JOB administration panel. This can compromise scheduled tasks, configuration data, and any sensitive information managed by the platform. The CVSS assessment classifies this as a medium-severity issue but does not yet provide a full vector string [2].

Mitigation

As of the publication date, no official patch has been released by the vendor. Users should implement generic CSRF protections, such as adding CSRF tokens to all state-changing requests, restricting access to the XXL-JOB interface via network controls, and enabling multi-factor authentication where possible. Until a fix is applied, the vulnerability remains exploitable in the default deployment [1][2].