Xuxueli · Xxl-Job · CVE-2023-26120
**Name of the Vulnerable Software and Affected Versions**
com.xuxueli:xxl-job versions 2.4.0 and earlier
**Description**
The issue allows an HTML uploaded payload to be executed successfully through the API endpoints "/xxl-job-admin/user/add" and "/xxl-job-admin/user/update". This can lead to cross-site scripting (XSS) attacks.
**Recommendations**
For versions 2.4.0 and earlier, as a temporary workaround, consider restricting access to the `/xxl-job-admin/user/add` and `/xxl-job-admin/user/update` API endpoints until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.