SohuTV CacheCloud CVE-2025-15145
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. This affects the function doTotalList of the file src/main/java/com/sohu/cache/web/controller/TotalManageController.java. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Stored cross-site scripting (XSS) in SohuTV CacheCloud up to version 3.2.0 allows high-privilege authenticated users to inject malicious scripts via the doTotalList function in TotalManageController.java, which are executed in the browsers of users viewing the affected page. The vulnerability requires user interaction (UI:P) and high privileges (PR:H), limiting real-world impact despite network accessibility. Public exploit code is available, but EPSS probability remains very low (0.04%) due to the authentication and interaction requirements.
Technical ContextAI
SohuTV CacheCloud is a distributed caching management platform built in Java. The vulnerability exists in the TotalManageController class, specifically in the doTotalList method, which handles user input without proper sanitization or output encoding. This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-controlled data is rendered in HTML responses without escaping HTML special characters. The affected component appears to be part of a web-based administration or monitoring interface, given the controller naming convention and the requirement for high privileges (PR:H) to exploit it.
RemediationAI
Upgrade SohuTV CacheCloud to a version newer than 3.2.0 when available. As the vendor has not yet released a patched version according to available data, the primary remediation is to monitor the project repository at https://github.com/sohutv/cachecloud for updates and apply them once released. As an interim compensating control, restrict network access to the CacheCloud web administration interface to trusted networks or specific IP ranges, and limit user accounts with high privileges (PR:H) to only those individuals who require administrative access. Additionally, configure web application firewalls (WAF) to detect and block XSS payloads in the doTotalList endpoint parameters. These controls reduce the practical exploitation window while waiting for an official patch. The vendor issue report is available at https://github.com/sohutv/cachecloud/issues/365.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today