Platform
java
Component
cachecloud
Opgelost in
3.0.1
3.1.1
3.2.1
A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions 3.0 through 3.2.0. This flaw resides within the doUserList function of the UserManageController.java file, allowing attackers to inject malicious scripts. A public exploit is now available, increasing the risk of exploitation. The vulnerability is addressed in version 3.2.1.
Successful exploitation of CVE-2025-15146 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to session hijacking, credential theft, and defacement of the CacheCloud web interface. The public availability of an exploit significantly elevates the risk, as attackers can readily leverage it to compromise vulnerable systems. The impact is amplified if CacheCloud is integrated with other critical systems, potentially enabling lateral movement within the network.
This vulnerability is considered LOW severity according to CVSS. A public proof-of-concept exploit is available, indicating a higher likelihood of exploitation. The vulnerability was reported to the project but has not yet received a response, which could delay further mitigation efforts. The CVE was published on 2025-12-28.
Organizations utilizing SohuTV CacheCloud in production environments, particularly those with publicly accessible web interfaces, are at risk. Shared hosting environments where multiple users share the same CacheCloud instance are also vulnerable, as an attacker could potentially compromise other users' accounts.
• java / server:
find /opt/sohutv/cachecloud/ -name "UserManageController.java"• generic web:
curl -I http://<cachecloud_ip>/user/list | grep -i 'X-XSS-Protection'disclosure
poc
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-15146 is to upgrade SohuTV CacheCloud to version 3.2.1 or later. If immediate upgrading is not feasible, consider implementing input validation and output encoding on the doUserList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Monitor access logs for suspicious activity related to the doUserList endpoint. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the doUserList function and verifying that it is properly sanitized.
Actualice CacheCloud a una versión posterior a la 3.2.0, si está disponible, que corrija la vulnerabilidad de Cross-Site Scripting (XSS). Si no hay una versión corregida disponible, revise y filtre las entradas del usuario en la función doUserList de UserManageController.java para evitar la inyección de código malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-15146 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0 through 3.2.0, allowing attackers to inject malicious scripts.
You are affected if you are running SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0. Upgrade to 3.2.1 or later to mitigate the risk.
Upgrade to SohuTV CacheCloud version 3.2.1 or later. Implement input validation and output encoding as a temporary workaround.
Yes, a public proof-of-concept exploit is available, indicating a potential for active exploitation.
Refer to the SohuTV CacheCloud project's official website or repository for the latest advisory regarding CVE-2025-15146.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.