Login Sign Up

CVE-2020-24922

8.8 HIGH
Remote Code Execution Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in xxl-job-admin allows attackers to create admin users via crafted HTML files, leading to privilege escalation and potential arbitrary code execution. It affects xxl-job version 2.2.0 administrators who access malicious web pages while authenticated. The vulnerability is in the user management endpoint and requires user interaction.

💻 Affected Systems

Products:
  • xuxueli xxl-job
Versions: 2.2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the admin interface; requires admin authentication to exploit but can be triggered via CSRF.

📦 What is this software?

Xxl Job by Xuxueli

View all CVEs affecting Xxl Job →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through admin account takeover leading to arbitrary code execution, data exfiltration, and lateral movement within the environment.

🟠

Likely Case

Unauthorized admin account creation allowing attackers to access sensitive job scheduling data, modify job configurations, and potentially execute malicious jobs.

🟢

If Mitigated

Limited impact with proper CSRF protections, though some information disclosure may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the victim admin to visit a malicious HTML page while authenticated to xxl-job-admin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0

Vendor Advisory: https://github.com/xuxueli/xxl-job/issues/1921

Restart Required: Yes

Instructions:

1. Upgrade xxl-job to version 2.3.0 or later. 2. Restart the xxl-job-admin service. 3. Verify CSRF protections are enabled in the updated configuration.

🔧 Temporary Workarounds

CSRF Token Implementation

all

Manually add CSRF token validation to the /user/add endpoint

Modify xxl-job-admin source code to include CSRF token validation in user management endpoints

Network Segmentation

all

Restrict access to xxl-job-admin interface

Configure firewall rules to limit xxl-job-admin access to trusted IPs only

🧯 If You Can't Patch

  • Implement strict SameSite cookie policies and Content Security Policy headers
  • Use browser extensions that block CSRF attempts and monitor for unauthorized user creation

🔍 How to Verify

Check if Vulnerable:

Check if running xxl-job version 2.2.0 and verify CSRF protections are missing from /user/add endpoint

Check Version:

Check application logs or configuration files for xxl-job version information

Verify Fix Applied:

Confirm version is 2.3.0+ and test that CSRF tokens are required for user creation requests

📡 Detection & Monitoring

Log Indicators:

  • Unexpected user creation events in admin logs
  • Multiple failed authentication attempts followed by successful user creation

Network Indicators:

  • HTTP POST requests to /xxl-job-admin/user/add without proper referrer headers
  • Unusual traffic patterns to admin interface

SIEM Query:

source="xxl-job-admin" AND (event="user_add" OR url_path="/user/add") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-24922
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: August 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24922, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)