CVE-2025-15202
Unknown Unknown - Not Provided
Cross-Site Scripting in SohuTV CacheCloud TaskController

Publication date: 2025-12-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sohutv cachecloud 3.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SohuTV CacheCloud up to version 3.2.0, specifically in the taskQueueList function of the TaskController.java file. It allows an attacker to perform cross-site scripting (XSS) attacks remotely by manipulating this function. The vulnerability has been publicly disclosed and can be exploited.

Impact Analysis

The vulnerability can lead to cross-site scripting attacks, which may allow attackers to inject malicious scripts into web pages viewed by other users. This can result in unauthorized actions performed on behalf of users, potential theft of sensitive information, or other malicious activities depending on the context of the application.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP POST requests to the endpoint `/manage/task/list` with malicious payloads in parameters such as `className` to test for reflected Cross-Site Scripting (XSS). A proof-of-concept uses Python's requests library to send such payloads and observe if the response contains injected scripts. For detection on your system, you can use curl or similar tools to send a POST request with a payload designed to trigger an XSS alert, for example: curl -X POST 'http://<target>/manage/task/list' -d 'className=<script>alert(1)</script>' -H 'X-Requested-With: XMLHttpRequest' If the response contains the injected script, the system is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding use of the vulnerable CacheCloud version 3.2.0 or earlier, as no official patch or vendor response is available. Consider replacing or upgrading the software to a non-vulnerable version if available. Additionally, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the `/manage/task/list` endpoint. Restrict access to this endpoint to trusted users only, as exploitation requires authentication and user interaction. Monitor network traffic for suspicious POST requests with script injection attempts. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart