CVE-2023-26120

Overview

All versions of the com.xuxueli:xxl-job package before 3.2.0 are vulnerable to HTML injection. The flaw exists in the endpoints /xxl-job-admin/user/add and /xxl-job-admin/user/update, which do not properly sanitize user-supplied input before storing it. Consequently, an attacker can submit HTML payloads that are later rendered unsanitized in the admin interface, leading to a stored cross-site scripting (XSS) vulnerability [1][2].

Exploitation

To exploit this issue, an attacker must have access to the XXL-Job admin web interface with sufficient privileges to create or modify user accounts. The attack does not require network-level access beyond the web application itself. By crafting a malicious HTML payload during user creation or profile update, the payload is stored on the server. When an administrator or other user views the affected page, the payload executes in their browser context [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the victim's browser. This can be used to steal session cookies, perform actions on behalf of the victim, deface the interface, or redirect the user to malicious sites. The impact is limited to the context of the XXL-Job admin panel and the privileges of the logged-in user [2].

Mitigation

The vulnerability is fixed in XXL-JOB version 3.2.0. Users should upgrade to this version or later. No workarounds have been officially provided; however, as a general practice, input validation and output encoding should be applied to all user-controllable fields to prevent HTML injection [2][3].