Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XXL-JOB Escalation of Privileges vulnerability #1

Open
Richard-Muzi opened this issue Jul 11, 2022 · 0 comments
Open

XXL-JOB Escalation of Privileges vulnerability #1

Richard-Muzi opened this issue Jul 11, 2022 · 0 comments

Comments

@Richard-Muzi
Copy link
Owner

Richard-Muzi commented Jul 11, 2022
edited

XXL-JOB is a distributed task scheduling framework, the core design goal is to develop quickly, learning simple, lightweight, easy to expand. Is now open source and access to a number of companies online product line.
https://www.xuxueli.com/xxl-job/en/
https://github.com/xuxueli/xxl-job/

A Escalation of Privileges vulnerability was discoverde in the opensource CMS.OK,follow my step see how to achieve the vulnerability!

1、You need to login the system(default admin account:admin/123456),you'll see six functions.
2、Next,click the "user management(用户管理)"function and create a low Privilege user named test.
3、Logout the admin account and login with test account.we'll find there has only four functions.
4、If we add "/jobgroup" to the URL end ,we can see the fifth function "Executor management(执行器管理)",even edit it!

So,we could achieve the vulnerability by four steps and execute admin function with low Privilege account.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Richard-Muzi