平台
java
组件
cachecloud
修复版本
3.0.1
3.1.1
3.2.1
A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions 3.0 through 3.2.0. This flaw resides within the taskQueueList function of the TaskController.java file, allowing attackers to inject malicious scripts. Successful exploitation can lead to unauthorized access and data compromise. A fix is available in version 3.2.1.
The XSS vulnerability in SohuTV CacheCloud allows an attacker to inject arbitrary JavaScript code into web pages viewed by other users. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the CacheCloud application is used to manage sensitive data or control critical systems. While the CVSS score is LOW, the potential for user compromise and data theft remains a significant concern, especially in environments with limited security controls. The remote nature of the vulnerability means an attacker does not need local access to exploit it.
This vulnerability was disclosed publicly on 2025-12-29. A public proof-of-concept may be available, increasing the risk of exploitation. The project maintainers have been notified but have not yet responded. The vulnerability is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
Organizations using SohuTV CacheCloud versions 3.0 through 3.2.0 are at risk, particularly those with publicly accessible instances or those handling sensitive user data. Shared hosting environments where CacheCloud is deployed could be especially vulnerable due to the potential for cross-tenant exploitation.
• java / server:
find /opt/sohutv/cachecloud/ -name "TaskController.java"• java / server:
grep -r "taskQueueList" /opt/sohutv/cachecloud/• generic web:
curl -I http://your-cachecloud-server/taskQueueList• generic web:
grep -A 10 "taskQueueList" /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-15202 is to upgrade to SohuTV CacheCloud version 3.2.1 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the taskQueueList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can also be configured to detect and block XSS attempts targeting this specific function. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Actualice CacheCloud a una versión posterior a la 3.2.0, si está disponible, para corregir la vulnerabilidad XSS. Si no hay una versión corregida disponible, revise y filtre las entradas de la función taskQueueList en TaskController.java para evitar la inyección de código malicioso.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-15202 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0-3.2.0, allowing attackers to inject malicious scripts.
If you are using SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0, you are potentially affected by this vulnerability.
Upgrade to SohuTV CacheCloud version 3.2.1 or later to resolve this XSS vulnerability. Consider input validation and WAF rules as temporary mitigations.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Please refer to the SohuTV project's official website or security channels for the advisory related to CVE-2025-15202.
上传你的 pom.xml 文件,立即知道是否受影响。