Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in format

Steps to reproduce the behavior

Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascript
cd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/

Example malicious code
<script>alert(Test123);</script>

Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page
Check the log by querying log id

Step 3: Alert will show here