CVE-2025-15173
Unknown Unknown - Not Provided
Cross-Site Scripting in SohuTV CacheCloud InstanceController

Publication date: 2025-12-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in SohuTV CacheCloud up to 3.2.0. Affected is the function advancedAnalysis of the file src/main/java/com/sohu/cache/web/controller/InstanceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15173
EUVD
EUVD-2025-205554
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sohutv cachecloud 3.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site scripting (XSS) weakness in the advancedAnalysis function of the InstanceController.java file in SohuTV CacheCloud up to version 3.2.0. It allows an attacker to remotely inject malicious scripts due to improper handling of input, potentially leading to unauthorized script execution in users' browsers.

Impact Analysis

The vulnerability can allow attackers to execute malicious scripts in the context of users' browsers, which may lead to session hijacking, defacement, or redirection to malicious sites. Although the impact on confidentiality and availability is rated low, the integrity of user interactions can be compromised.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the vulnerable endpoint `/admin/instance/advancedAnalysis` with malicious payloads in the `startDate` or `endDate` parameters and observing if the payload is reflected unencoded in the response, indicating a reflected XSS vulnerability. For example, you can use curl to send a POST request with a payload that triggers a JavaScript alert, such as: curl -X POST -d 'startDate=X" tabindex="1" AutoFOCus oNFoCuS=alert("zast-xss")//' -d 'endDate=2025-01-01' https://<target>/admin/instance/advancedAnalysis If the alert is triggered or the payload appears unencoded in the response HTML, the system is vulnerable. Monitoring web server logs for suspicious requests to this endpoint with unusual parameter values can also help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/admin/instance/advancedAnalysis` to trusted users only, such as by implementing network-level access controls or authentication mechanisms. Additionally, input validation and output encoding should be applied to the `startDate` and `endDate` parameters to prevent injection of malicious scripts. Since no official fix or patch has been released yet, consider disabling or limiting use of the affected functionality until a patch is available. Monitoring for exploitation attempts and educating users about the risk can also help reduce impact. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart