SohuTV CacheCloud CVE-2025-15204
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Stored cross-site scripting (XSS) in SohuTV CacheCloud up to version 3.2.0 allows high-privileged authenticated users to inject malicious scripts via the doQuartzList function in QuartzManageController.java, affecting users who interact with crafted content. The vulnerability requires high privileges (PR:H) and user interaction (UI:P), limiting real-world impact despite remote network accessibility. Public exploit code is available, but EPSS exploitation probability is exceptionally low at 0.04% (11th percentile), suggesting the attack requires substantial prerequisites unlikely to occur in typical deployments.
Technical ContextAI
The vulnerability exists in the Quartz job management controller of CacheCloud, a distributed caching solution built in Java. The doQuartzList function fails to properly sanitize user-supplied input before rendering it in web responses, allowing attackers with administrative privileges to inject arbitrary HTML/JavaScript into the Quartz job listing interface. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates insufficient output encoding when constructing dynamic web content. The attack surface is limited to authenticated administrative users, as the PR:H (high privilege) requirement in the CVSS vector indicates the attacker must possess administrative credentials to reach the vulnerable endpoint.
RemediationAI
Upgrade SohuTV CacheCloud to a version released after the public disclosure date with the XSS input validation and output encoding fixes applied. The project maintainers were notified via GitHub issue #376 but have not released a patched version; verify current release status at https://github.com/sohutv/cachecloud/releases. As a compensating control pending an official patch, restrict network access to the Quartz management interface using firewall rules or reverse proxy authentication, limiting access to trusted administrative networks only. Additionally, implement Content Security Policy (CSP) headers on the CacheCloud application to prevent inline script execution, and sanitize all user input in the doQuartzList function using a Java HTML encoding library such as OWASP ESAPI before rendering in responses. This last control mitigates stored XSS impact without requiring a full application upgrade but does not address the root cause.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today