Xxl Job
Monthly
Token generation in Xuxueli xxl-job up to version 3.1.1 uses password hashing with insufficient computational effort (weak bcrypt configuration or equivalent), allowing attackers to crack authentication tokens through brute force. The vulnerability affects the makeToken function in IndexController.java and has low practical impact (confidentiality impact only, no integrity or availability damage), but exploitation requires high attack complexity and is not known to be actively exploited at scale despite public disclosure of the vulnerability.
OS command injection in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to execute arbitrary operating system commands via the commandJobHandler function in SampleXxlJob.java. The vulnerability has a publicly available exploit and is rated critical by the discoverer, though the CVSS 4.0 score of 2.1 reflects limited scope (authenticated access required, low confidentiality/integrity/availability impact). With EPSS at 0.71% (72nd percentile), real-world exploitation probability is low despite public POC availability.
Server-side request forgery in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to perform SSRF attacks via the httpJobHandler function, enabling access to internal network resources. The vulnerability has a low CVSS score (2.1) due to required authentication and limited confidentiality impact, but publicly available exploit code exists and should be remediated promptly in affected deployments.
Token generation in Xuxueli xxl-job up to version 3.1.1 uses password hashing with insufficient computational effort (weak bcrypt configuration or equivalent), allowing attackers to crack authentication tokens through brute force. The vulnerability affects the makeToken function in IndexController.java and has low practical impact (confidentiality impact only, no integrity or availability damage), but exploitation requires high attack complexity and is not known to be actively exploited at scale despite public disclosure of the vulnerability.
OS command injection in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to execute arbitrary operating system commands via the commandJobHandler function in SampleXxlJob.java. The vulnerability has a publicly available exploit and is rated critical by the discoverer, though the CVSS 4.0 score of 2.1 reflects limited scope (authenticated access required, low confidentiality/integrity/availability impact). With EPSS at 0.71% (72nd percentile), real-world exploitation probability is low despite public POC availability.
Server-side request forgery in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to perform SSRF attacks via the httpJobHandler function, enabling access to internal network resources. The vulnerability has a low CVSS score (2.1) due to required authentication and limited confidentiality impact, but publicly available exploit code exists and should be remediated promptly in affected deployments.