Platform
java
Component
cachecloud
Fixed in
3.0.1
3.1.1
3.2.1
CVE-2025-15204 describes a cross-site scripting (XSS) vulnerability discovered in SohuTV CacheCloud versions 3.0 through 3.2.0. Successful exploitation could allow an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. A fix is available in version 3.2.1, and the vulnerability has been publicly disclosed.
This XSS vulnerability resides within the doQuartzList function of the QuartzManageController.java file. An attacker could craft a malicious request that, when processed by CacheCloud, injects arbitrary JavaScript code into the web page. This code could then be executed in the context of the user's browser, granting the attacker access to sensitive information like session cookies or allowing them to perform actions on behalf of the user. The impact is amplified if CacheCloud is used in environments with privileged user accounts, as an attacker could potentially escalate their privileges.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant attention. No KEV listing or confirmed exploitation campaigns are currently known. The project has been notified of the issue but has not yet responded, which could delay further mitigation efforts.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15204 is to upgrade SohuTV CacheCloud to version 3.2.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the doQuartzList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor access logs for suspicious requests targeting the doQuartzList endpoint. After upgrading, confirm the vulnerability is resolved by attempting a test XSS payload on the endpoint and verifying it is properly sanitized.
Update CacheCloud to a version later than 3.2.0, if available. If no patched version is available, review and sanitize user inputs in the doQuartzList function of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java to prevent malicious code injection. Implement additional security measures such as output encoding to prevent XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15204 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0 through 3.2.0, allowing attackers to inject malicious scripts.
You are affected if you are running SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0. Upgrade to 3.2.1 or later to mitigate the risk.
Upgrade SohuTV CacheCloud to version 3.2.1 or later. Consider input validation and WAF rules as temporary mitigations.
While no active exploitation campaigns are confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SohuTV CacheCloud project's official website or GitHub repository for updates and advisories related to CVE-2025-15204.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.