cbcvebase.
CVE-2020-23814
published 2020-09-03

CVE-2020-23814: Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.19%
64.0th percentile
Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.

Affected

1 ranges
VendorProductVersion rangeFixed in
xuxuelixxl-job

Detection & IOCsextracted from sources · hover to see the quote

url/xxl-job-admin/login
url/xxl-job-admin/jobgroup/save
url/xxl-job-admin/jobgroup/pageList
url/xxl-job-admin/
commandappname={{title}}&title={{title}}&addressType=1&addressList=
commandalert(document.domain)
  • Detect exploitation attempts by monitoring POST requests to /xxl-job-admin/jobgroup/save containing XSS payloads (e.g., script tags or alert()) in the appname or addressList parameters.
  • Fingerprint vulnerable XXL-JOB 2.2.0 instances by checking HTTP response body for the string 'XXL-JOB 2.2.0' on the /xxl-job-admin/ endpoint.
  • Use Shodan query http.html:"/xxl-job-admin/static/favicon.ico" or favicon hash 1691956220 to identify exposed XXL-JOB admin panels.
  • Use FOFA query app="xxl-job" or icon_hash=1691956220 to identify exposed XXL-JOB instances.
  • The attack flow requires authentication first (POST /xxl-job-admin/login), then stores XSS payload via POST /xxl-job-admin/jobgroup/save, and triggers it via POST /xxl-job-admin/jobgroup/pageList — monitor this sequence of requests as an attack chain indicator.
  • Requests to the vulnerable endpoints include the header X-Requested-With: XMLHttpRequest; monitor for this combined with suspicious appname/addressList parameter values containing HTML/JS.
  • ·Exploitation requires prior authentication to the XXL-JOB admin panel; the XSS is stored (not reflected), meaning the payload is injected via jobgroup/save and triggered when jobgroup/pageList is rendered.
  • ·The vulnerability is confirmed only in XXL-JOB version 2.2.0; the detection template checks for 'XXL-JOB 2.2.0' in the response body to gate further exploitation steps.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.