CVE-2025-59302

MEDIUM

4.7

Descripcion

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

Detalles CVE

Puntuacion CVSS v3.14.7

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosHIGH

Interaccion usuarioNONE

Publicado11/27/2025

Ultima modificacion12/2/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

apache:cloudstack

Debilidades (CWE)

CWE-94CWE-94

Referencias

https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788(security@apache.org)

http://www.openwall.com/lists/oss-security/2025/11/27/2(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.