平台
java
组件
cachecloud
修复版本
3.0.1
3.1.1
3.2.1
CVE-2025-15219 describes a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0 through 3.2.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the doMachineList/doPodList function and can be exploited remotely. A fix is available in version 3.2.1.
Successful exploitation of CVE-2025-15219 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially steal sensitive information, such as API keys or database credentials, if the user has access to such resources. Given the remote nature of the exploit, any user accessing the vulnerable CacheCloud instance is at risk. The impact is amplified if the application is used to manage critical infrastructure or sensitive data.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, indicating a relatively limited impact. As of the publication date (2025-12-30), there is no indication of active exploitation campaigns targeting this specific vulnerability. The lack of a response from the project is concerning and warrants further investigation.
Organizations utilizing SohuTV CacheCloud versions 3.0 through 3.2.0 are at risk. This includes deployments handling sensitive data or user authentication, as successful exploitation could lead to data breaches and account compromise. Shared hosting environments using this software are particularly vulnerable due to the potential for cross-tenant attacks.
• java / server:
# Check for vulnerable versions
java -version
# Inspect the src/main/java/com/sohu/cache/web/controller/MachineManageController.java file for the vulnerable doMachineList/doPodList function.
# Monitor application logs for suspicious activity related to the doMachineList/doPodList endpoint.disclosure
patch
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-15219 is to upgrade SohuTV CacheCloud to version 3.2.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the doMachineList/doPodList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can also be configured to detect and block malicious XSS payloads targeting this specific function. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the doMachineList/doPodList endpoint and verifying that the payload is properly sanitized.
Actualice CacheCloud a una versión posterior a la 3.2.0 que haya solucionado la vulnerabilidad de Cross-Site Scripting (XSS). Consulte las notas de la versión o el registro de cambios para obtener más detalles sobre la corrección. Si no hay una versión corregida disponible, revise y sanee las entradas de usuario en las funciones doMachineList y doPodList en MachineManageController.java para evitar la inyección de scripts maliciosos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-15219 is a cross-site scripting (XSS) vulnerability in SohuTV CacheCloud versions 3.0-3.2.0, allowing attackers to inject malicious scripts.
If you are using SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0, you are potentially affected by this vulnerability.
Upgrade to SohuTV CacheCloud version 3.2.1 or later to resolve the XSS vulnerability.
As of the publication date, there is no confirmed evidence of active exploitation, but a proof-of-concept may be available.
Refer to the SohuTV CacheCloud project's official channels for the advisory, though a response has not been received yet.
上传你的 pom.xml 文件,立即知道是否受影响。