Headline
CVE-2023-48088: XSS attack appears in /xxl-job-admin/joblog/logDetailPage · Issue #3329 · xuxueli/xxl-job
xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage.
Environment
MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)
Vulnerability Information
During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in <script> </script> format
Steps to reproduce the behavior
Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascript
cd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/
Example malicious code
<script>alert(Test123);</script>
Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page
Check the log by querying log id
Step 3: Alert will show here
Related news
xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage.