SohuTV CacheCloud CVE-2025-15220
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This affects the function init of the file src/main/java/com/sohu/cache/web/controller/LoginController.java. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Reflected cross-site scripting (XSS) in SohuTV CacheCloud up to version 3.2.0 allows remote attackers to inject malicious scripts via the LoginController initialization function, requiring user interaction to execute. The vulnerability has a public exploit available but represents low real-world risk due to CVSS 2.1 score, minimal EPSS exploitation probability (0.04%), and the requirement for user click-through. The vendor has not responded to early disclosure through a GitHub issue.
Technical ContextAI
The vulnerability exists in the Java-based CacheCloud application within src/main/java/com/sohu/cache/web/controller/LoginController.java, specifically in the init function. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input validation or output encoding in the login workflow. The LoginController handles authentication entry points, and the init method likely processes request parameters without proper sanitization before rendering them in the web response. This is a classic reflective XSS vulnerability where attacker-controlled input is reflected directly into the HTML response without encoding.
RemediationAI
Upgrade SohuTV CacheCloud to a version released after the vendor responds to the GitHub issue #379 (https://github.com/sohutv/cachecloud/issues/379) - no patched version has been publicly released as of analysis time. In the interim, implement compensating controls: (1) Deploy a Web Application Firewall (WAF) with XSS detection rules to filter script injection payloads in LoginController parameters; (2) Use Content Security Policy (CSP) headers with script-src 'self' to prevent inline script execution even if XSS is reflected; (3) Ensure browser auto-update policies are enforced for users accessing CacheCloud to benefit from browser XSS filters; (4) Restrict CacheCloud admin access to internal networks only, reducing the user population exposed to reflected XSS. Note that WAF rules may cause false positives on legitimate input; CSP requires careful configuration to avoid breaking legitimate functionality. Monitor the GitHub repository for vendor response and patch release.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today