CVE-2022-36157: XXL-JOB Escalation of Privileges vulnerability · Issue #1 · Richard-Muzi/vulnerability

XXL-JOB is a distributed task scheduling framework, the core design goal is to develop quickly, learning simple, lightweight, easy to expand. Is now open source and access to a number of companies online product line.
https://www.xuxueli.com/xxl-job/en/
https://github.com/xuxueli/xxl-job/

A Escalation of Privileges vulnerability was discoverde in the opensource CMS.OK,follow my step see how to achieve the vulnerability!

1、You need to login the system(default admin account:admin/123456),you’ll see six functions.
2、Next,click the "user management(用户管理)"function and create a low Privilege user named test.
3、Logout the admin account and login with test account.we’ll find there has only four functions.
4、If we add “/jobgroup” to the URL end ,we can see the fifth function "Executor management(执行器管理)",even edit it!

So,we could achieve the vulnerability by four steps and execute admin function with low Privilege account.