Platform
java
Component
cachecloud
Fixed in
3.0.1
3.1.1
3.2.1
CVE-2025-15175 describes a cross-site scripting (XSS) vulnerability discovered in SohuTV CacheCloud versions 3.0 through 3.2.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to data theft or session hijacking. A fix is available in version 3.2.1, and a public exploit has been released, indicating a heightened risk.
The XSS vulnerability in CacheCloud allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the application. Given the public availability of an exploit, the risk of exploitation is significant. An attacker could potentially gain unauthorized access to sensitive data or compromise the entire CacheCloud deployment. The impact is amplified if CacheCloud is used to manage or cache sensitive user data.
CVE-2025-15175 has a LOW CVSS score and is currently considered to be actively exploited due to the public availability of a proof-of-concept. While the impact is primarily XSS, the ease of exploitation makes it a concern. The vulnerability was reported to the project but has not yet received a response, potentially indicating a lack of active maintenance. No KEV listing is currently available.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15175 is to upgrade to CacheCloud version 3.2.1 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the doAppList/appCommandAnalysis endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor application logs for suspicious activity, particularly requests targeting the vulnerable endpoint. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the doAppList/appCommandAnalysis endpoint and verifying that the payload is properly sanitized.
Update CacheCloud to a version later than 3.2.0, if available, that fixes the cross-site scripting (Cross-Site Scripting) vulnerability. If no patched version is available, review and sanitize user inputs in the doAppList/appCommandAnalysis function of the AppController.java file to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15175 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0-3.2.0, allowing attackers to inject malicious scripts.
You are affected if you are using SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0. Upgrade to 3.2.1 or later to mitigate the risk.
Upgrade to SohuTV CacheCloud version 3.2.1 or later. Implement input validation and output encoding as a temporary workaround.
Yes, a public exploit is available, indicating that CVE-2025-15175 is potentially being actively exploited.
As of the current date, there is no official advisory from SohuTV regarding this vulnerability. Monitor their website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.