CVE-2020-23814
MEDIUM EXPLOITED IN THE WILD NUCLEIxxl-job < 2.3.0 - Cross-Site Scripting via AppName and AddressList Parameters
Title source: llmExploitation Summary
CVE-2020-23814 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.
Description
Multiple cross-site scripting (XSS) vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) AppName and (2)AddressList parameter in JobGroupController.java file.
Nuclei Templates (1)
XXL-JOB v2.2.0 — Stored Cross Site Scripting
MEDIUMVERIFIEDby Sourabh-Sahu
Shodan:
http.html:"/xxl-job-admin/static/favicon.ico" || http.favicon.hash:"1691956220"
FOFA:
app="xxl-job" || icon_hash=1691956220
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.ccsq8.com/issues.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/xuxueli/xxl-job/issues/1866
Scores
CVSS v3
6.1
EPSS
0.0119
EPSS Percentile
63.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2024-05-10
InTheWild.io
2024-05-17
CWE
CWE-79
Status
published
Products (2)
com.xuxueli/xxl-job
0 - 2.3.0Maven
xuxueli/xxl-job
2.2.0
Published
Sep 03, 2020
Tracked Since
Feb 18, 2026