Download the source code from https://github.com/xuxueli/xxl-job warehouse, on the personal cloud host structures, the latest version: XXL - JOB 2.3.0

Create user test without any permission

Verify that other functions cannot be accessed

The Test user cookies: XXL_JOB_LOGIN_IDENTITY=7b226964223a342c22757365726e616d65223a2274657374222c2270617373776f7264223a22303938663662636434363 2316433373363616465346538333236323762346636222c22726f6c65223a302c227065726d697373696f6e223a22227d
Problem: XXl-job 2.3.0 allows users with low permissions to add storage XSS to administrators
Vulnerability problem interface: /xxl-job-admin/jobinfo/add
Expected result: The test user fails to create or update a task
Actual result: The test user can create and execute tasks to load stored XSS
Vulnerability verification case: Add tasks with admin permission, update tasks Function Task parameters add POC: alert(13)
Capture data packets. Replace the cookie of user test with the cookie of user Test and send the cookie. The task is created successfully

Click Execute task as admin to change the cookie to test user cookie

The task that Admin belongs to is successfully executed by the test user. The Admin user queries logs and successfully loads XSS

Also problematic interfaces are:

1. Edit the addresslist parameter of the /xxl-job-admin/jobgroup/update interface
2. Edit and update the executorParam parameters of the task function /xxl-job-admin/jobinfo/update interface
3. Save the ueRemark parameter of edit GLUE IDE /xxl-job-admin/jobcode/save interface
4. Perform the task once function /xxl-job-admin/jobinfo/trigger The addresslist parameter of the interface
   Vulnerability hazard: Low-permission user Test can vertically add tasks of admin user and store XSS, hijack cookies of administrator user or obtain sensitive information such as administrator keylog and browser record through XSS vulnerability