平台
java
组件
cachecloud
修复版本
3.0.1
3.1.1
3.2.1
CVE-2025-15204 describes a cross-site scripting (XSS) vulnerability discovered in SohuTV CacheCloud versions 3.0 through 3.2.0. Successful exploitation could allow an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. A fix is available in version 3.2.1, and the vulnerability has been publicly disclosed.
This XSS vulnerability resides within the doQuartzList function of the QuartzManageController.java file. An attacker could craft a malicious request that, when processed by CacheCloud, injects arbitrary JavaScript code into the web page. This code could then be executed in the context of the user's browser, granting the attacker access to sensitive information like session cookies or allowing them to perform actions on behalf of the user. The impact is amplified if CacheCloud is used in environments with privileged user accounts, as an attacker could potentially escalate their privileges.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant attention. No KEV listing or confirmed exploitation campaigns are currently known. The project has been notified of the issue but has not yet responded, which could delay further mitigation efforts.
Organizations utilizing SohuTV CacheCloud in production environments, particularly those with web-facing applications or user interfaces, are at risk. Systems with older, unpatched versions (3.0-3.2.0) are especially vulnerable. Shared hosting environments where CacheCloud is deployed alongside other applications should also be considered high-risk.
• java / server:
find /opt/sohutv/cachecloud/ -name "QuartzManageController.java"• generic web:
curl -I http://your-cachecloud-server/quartz/list | grep -i 'X-XSS-Protection'• generic web:
grep -r "doQuartzList" /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-15204 is to upgrade SohuTV CacheCloud to version 3.2.1 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the doQuartzList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor access logs for suspicious requests targeting the doQuartzList endpoint. After upgrading, confirm the vulnerability is resolved by attempting a test XSS payload on the endpoint and verifying it is properly sanitized.
Actualizar CacheCloud a una versión posterior a 3.2.0, si existe. Si no hay una versión corregida disponible, revisar y sanitizar las entradas de usuario en la función doQuartzList del archivo src/main/java/com/sohu/cache/web/controller/QuartzManageController.java para evitar la inyección de código malicioso. Implementar medidas de seguridad adicionales como la codificación de salida para prevenir ataques XSS.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-15204 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0 through 3.2.0, allowing attackers to inject malicious scripts.
You are affected if you are running SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0. Upgrade to 3.2.1 or later to mitigate the risk.
Upgrade SohuTV CacheCloud to version 3.2.1 or later. Consider input validation and WAF rules as temporary mitigations.
While no active exploitation campaigns are confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SohuTV CacheCloud project's official website or GitHub repository for updates and advisories related to CVE-2025-15204.
上传你的 pom.xml 文件,立即知道是否受影响。