CVE-2023-26120: 
Java vulnerability analysis and mitigation

CVE-2023-26120 affects all versions of the package com.xuxueli:xxl-job, a distributed task scheduling framework. The vulnerability was discovered on January 26, 2023, and publicly disclosed on April 9, 2023. The issue allows HTML injection through specific endpoints in the application (Snyk Advisory).

The vulnerability is classified as CWE-79 (Cross-site Scripting) and received a CVSS v3.1 base score of 6.1 (Medium) from NIST and 5.4 (Medium) from Snyk. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability specifically allows HTML payload execution through two endpoints: /xxl-job-admin/user/add and /xxl-job-admin/user/update (NVD, Snyk Advisory).

The vulnerability can lead to cross-site scripting attacks, potentially resulting in cookie theft, session hijacking, exposure of sensitive information, access to privileged services and functionality, and malware delivery. The impact assessment indicates low confidentiality and integrity impact, with no direct impact on system availability (Snyk Advisory).

Currently, there is no fixed version available for com.xuxueli:xxl-job. General mitigation strategies include sanitizing data input in HTTP requests, converting special characters to their HTML or URL encoded equivalents, implementing Content Security Policy, and validating all user input before reflection (Snyk Advisory).