SohuTV CacheCloud CVE-2025-15202
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Reflected cross-site scripting (XSS) in SohuTV CacheCloud up to version 3.2.0 allows authenticated high-privilege users to inject malicious scripts via the taskQueueList function in TaskController.java, requiring user interaction for exploitation. The vulnerability has publicly available exploit details and a low EPSS score of 0.04%, indicating minimal real-world exploitation risk despite the public disclosure.
Technical ContextAI
SohuTV CacheCloud is a distributed caching management platform written in Java. The vulnerability exists in the TaskController.java file, specifically in the taskQueueList endpoint, which fails to properly sanitize user-supplied input before rendering it in the application response. This is a classic reflected XSS vulnerability (CWE-79) where unsanitized query parameters or form inputs are echoed directly into HTML output without encoding, allowing an attacker to inject arbitrary JavaScript. The vulnerable code path is exposed via HTTP GET/POST to remote attackers, but exploitation requires the attacker to either hold administrative credentials (PR:H per CVSS vector) or trick an authenticated administrator into clicking a malicious link (UI:P).
RemediationAI
Upgrade SohuTV CacheCloud to a version released after the public issue report at https://github.com/sohutv/cachecloud/issues/374; however, vendor response and patched version availability are not yet confirmed per the vulnerability description. As an interim compensating control, restrict access to the TaskController.java taskQueueList endpoint to trusted administrative networks only by implementing IP-based access controls at the firewall or reverse proxy level. Additionally, enforce Content Security Policy (CSP) headers in the application configuration to block inline script execution even if XSS payloads are injected. Monitor administrator accounts for unusual activity, such as unexpected session creation or API token usage, to detect if exploitation is attempted. Do NOT disable the TaskController entirely if it provides critical caching queue management functionality, as this would impact availability; instead, implement input validation and output encoding at the application level by sanitizing all user-supplied parameters in the taskQueueList function before rendering them in HTML contexts. Note that these controls do not eliminate the vulnerability - a vendor patch is required for complete remediation.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today