XXL-JOB Escalation of Privileges vulnerability #1
Description
XXL-JOB is a distributed task scheduling framework, the core design goal is to develop quickly, learning simple, lightweight, easy to expand. Is now open source and access to a number of companies online product line.
https://www.xuxueli.com/xxl-job/en/
https://github.com/xuxueli/xxl-job/
A Escalation of Privileges vulnerability was discoverde in the opensource CMS.OK,follow my step see how to achieve the vulnerability!
1、You need to login the system(default admin account:admin/123456),you'll see six functions.
2、Next,click the "user management(用户管理)"function and create a low Privilege user named test.
3、Logout the admin account and login with test account.we'll find there has only four functions.
4、If we add "/jobgroup" to the URL end ,we can see the fifth function "Executor management(执行器管理)",even edit it!
So,we could achieve the vulnerability by four steps and execute admin function with low Privilege account.