Platform
java
Component
cachecloud
Fixed in
3.0.1
3.1.1
3.2.1
CVE-2025-15174 describes a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0 through 3.2.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to data theft or session hijacking. The issue resides within the doAppAuditList function of the AppManageController.java file. A patch is available in version 3.2.1.
Successful exploitation of CVE-2025-15174 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information like cookies, session tokens, and user credentials. An attacker could also redirect users to malicious websites or deface the application. Given the publicly disclosed nature of the exploit, the risk of exploitation is elevated, particularly if systems are not promptly patched. The impact is amplified if CacheCloud is integrated with other systems, potentially enabling lateral movement within the network.
CVE-2025-15174 was publicly disclosed on 2025-12-29. A proof-of-concept exploit is publicly available, indicating a relatively low barrier to entry for attackers. The vulnerability has been added to the CISA KEV catalog, signifying a heightened risk. Given the public availability of the exploit and the lack of a response from the project, active exploitation is considered probable.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15174 is to upgrade SohuTV CacheCloud to version 3.2.1 or later, which contains the fix. If immediate upgrading is not feasible, consider implementing input validation and output encoding on the doAppAuditList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and update any custom code interacting with the doAppAuditList function to ensure proper sanitization.
Update CacheCloud to a version later than 3.2.0 that fixes the XSS vulnerability. If no version is available, review and sanitize user inputs in the doAppAuditList function of the AppManageController.java file to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15174 is a cross-site scripting (XSS) vulnerability in SohuTV CacheCloud versions 3.0-3.2.0, allowing attackers to inject malicious scripts and potentially steal user data.
If you are running SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0, you are potentially affected by this vulnerability.
Upgrade SohuTV CacheCloud to version 3.2.1 or later to resolve the vulnerability. Implement input validation and output encoding as a temporary workaround.
Due to the public availability of a proof-of-concept exploit and its addition to the CISA KEV catalog, active exploitation is considered probable.
Refer to the SohuTV CacheCloud project's official website or communication channels for the latest advisory regarding CVE-2025-15174.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.