Platform
java
Component
cachecloud
Fixed in
3.0.1
3.1.1
3.2.1
A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions 3.0 through 3.2.0. This flaw resides within the taskQueueList function of the TaskController.java file, allowing attackers to inject malicious scripts. Successful exploitation can lead to unauthorized access and data compromise. A fix is available in version 3.2.1.
The XSS vulnerability in SohuTV CacheCloud allows an attacker to inject arbitrary JavaScript code into web pages viewed by other users. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the CacheCloud application is used to manage sensitive data or control critical systems. While the CVSS score is LOW, the potential for user compromise and data theft remains a significant concern, especially in environments with limited security controls. The remote nature of the vulnerability means an attacker does not need local access to exploit it.
This vulnerability was disclosed publicly on 2025-12-29. A public proof-of-concept may be available, increasing the risk of exploitation. The project maintainers have been notified but have not yet responded. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15202 is to upgrade to SohuTV CacheCloud version 3.2.1 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the taskQueueList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can also be configured to detect and block XSS attempts targeting this specific function. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Update CacheCloud to a version later than 3.2.0, if available, to fix the XSS vulnerability. If no patched version is available, review and filter the inputs of the taskQueueList function in TaskController.java to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15202 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0-3.2.0, allowing attackers to inject malicious scripts.
If you are using SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0, you are potentially affected by this vulnerability.
Upgrade to SohuTV CacheCloud version 3.2.1 or later to resolve this XSS vulnerability. Consider input validation and WAF rules as temporary mitigations.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Please refer to the SohuTV project's official website or security channels for the advisory related to CVE-2025-15202.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.