New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v2.2.0 Stored XSS vulnerabilities #1866
Comments
|
Hi, any plans releasing a fix for this? |
|
|
感谢反馈! |
|
你好 @xuxueli 提前致谢 ! |
Hi, @NicoleG25 , did you find where the fix was applied? Because the controller is still the same. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Locate the executor management function:




https://github.com/xuxueli/xxl-job/blob/289f02185b952f4652a4a7daf4ac3c6384f338bc/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobGroupController.java
insert POC there has front-end validation,By code audit, I find that the back end only has length validation.Can be bypassed by Burp Intercept.
POC:<img/src=# onerror="alert(1)"/>
The code directly gets AppName and manually entered parameters for front-end display.No filtering or encoding .Causes storage XSS vulnerabilities.
The page automatically loads and triggers XSS every 60 seconds.
The text was updated successfully, but these errors were encountered: