SohuTV CacheCloud CVE-2025-15171
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in SohuTV CacheCloud up to 3.2.0. This affects the function index of the file src/main/java/com/sohu/cache/web/controller/ServerController.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Reflected cross-site scripting (XSS) in SohuTV CacheCloud up to version 3.2.0 allows authenticated remote attackers to inject malicious scripts via the index function in ServerController.java, requiring user interaction to execute. The exploit is publicly available on GitHub, though the project maintainers have not responded to early disclosure reports. With an EPSS score of 0.03% and CVSS 2.0 severity, real-world exploitation risk is minimal despite public POC availability.
Technical ContextAI
SohuTV CacheCloud is a distributed caching solution built in Java. The vulnerability exists in the ServerController class, specifically the index function (src/main/java/com/sohu/cache/web/controller/ServerController.java), which fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. This is a classic reflected XSS flaw (CWE-79) where attacker-controlled data from request parameters is echoed back to the client without HTML encoding or output validation, allowing JavaScript execution in the victim's browser context.
RemediationAI
No vendor-released patch has been identified at time of analysis; the SohuTV project has not responded to the early disclosure report filed via GitHub issue. Immediate workarounds include: (1) upgrade CacheCloud to a version beyond 3.2.0 if available (verify with upstream project), (2) apply input validation and HTML encoding to the ServerController.index function by reviewing the code at https://github.com/sohutv/cachecloud and implementing parameterized output encoding or a Web Application Firewall rule that strips script tags from responses, (3) restrict network access to CacheCloud administrative interfaces using firewall rules or network segmentation to limit exposure to authenticated users only, and (4) disable browser script execution for CacheCloud URLs via Content Security Policy headers if feasible. Given the low EPSS and lack of vendor response, patching should be scheduled during normal maintenance windows rather than treated as emergency. Monitor GitHub issue #367 for any upstream patch announcements.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today