Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2.2.0 Stored XSS vulnerabilities #1866

Closed
wuguan8888 opened this issue Jul 30, 2020 · 5 comments
Closed

v2.2.0 Stored XSS vulnerabilities #1866

wuguan8888 opened this issue Jul 30, 2020 · 5 comments

Comments

@wuguan8888
Copy link

wuguan8888 commented Jul 30, 2020

Locate the executor management function:
https://github.com/xuxueli/xxl-job/blob/289f02185b952f4652a4a7daf4ac3c6384f338bc/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobGroupController.java
insert POC there has front-end validation,By code audit, I find that the back end only has length validation.Can be bypassed by Burp Intercept.
POC:<img/src=# onerror="alert(1)"/>
image
The code directly gets AppName and manually entered parameters for front-end display.No filtering or encoding .Causes storage XSS vulnerabilities.
image
The page automatically loads and triggers XSS every 60 seconds.
image
image

@ggkitsas
Copy link

Hi, any plans releasing a fix for this?

@wuguan8888
Copy link
Author

Hi, any plans releasing a fix for this?
The parameters are encoded as HTML entities or use blacklist filter labels

@xuxueli
Copy link
Owner

xuxueli commented Oct 30, 2020

感谢反馈!
已修复并推送mater分支,将会跟随下个版本一同发布。

@xuxueli xuxueli closed this as completed Oct 30, 2020
@NicoleG25
Copy link

NicoleG25 commented Dec 1, 2020

你好 @xuxueli
您能告诉我该修复程序在哪里应用吗?

提前致谢 !

@Findorgri
Copy link

Findorgri commented Feb 15, 2021

你好 @xuxueli
您能告诉我该修复程序在哪里应用吗?

提前致谢 !

Hi, @NicoleG25 , did you find where the fix was applied? Because the controller is still the same.
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants