Platform
java
Component
cachecloud
Fixed in
3.0.1
3.1.1
3.2.1
CVE-2025-15171 describes a cross-site scripting (XSS) vulnerability discovered in SohuTV CacheCloud versions 3.0 through 3.2.0. This flaw allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to data theft or session hijacking. A public exploit is available, increasing the risk of exploitation. The vulnerability is addressed in version 3.2.1.
The XSS vulnerability in SohuTV CacheCloud allows attackers to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal sensitive information, such as cookies and session tokens, which can then be used to impersonate the user. Attackers could also redirect users to malicious websites or deface the application. Given the public availability of an exploit, the risk of exploitation is elevated, particularly for systems that haven't been patched. The potential blast radius extends to all users of the affected CacheCloud instances.
CVE-2025-15171 has been publicly disclosed and a proof-of-concept exploit is available. This significantly increases the likelihood of exploitation. The vulnerability was reported to the project early, but there has been no response. The CVSS score is LOW, but the public exploit and lack of vendor response warrant immediate attention. It has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15171 is to upgrade to SohuTV CacheCloud version 3.2.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the affected ServerController.java index function to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific vulnerability. Regularly review access logs for suspicious activity, particularly requests containing unusual characters or patterns that might indicate an attempted XSS attack.
Update CacheCloud to a version later than 3.2.0, if available, to fix the XSS vulnerability. If no patched version is available, review and sanitize user inputs in the index function of the ServerController.java file to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15171 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0-3.2.0, allowing attackers to inject malicious scripts.
You are affected if you are running SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0. Upgrade to 3.2.1 or later to mitigate the risk.
Upgrade to SohuTV CacheCloud version 3.2.1 or later. Implement input validation and output encoding as a temporary workaround.
A public exploit exists, indicating a high probability of active exploitation. Immediate action is recommended.
Check the SohuTV CacheCloud official website or GitHub repository for the advisory, although no response has been reported as of this writing.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.