CVE-2025-59302

MEDIUM

4.7

Beschreibung

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

CVE Details

CVSS v3.1 Bewertung4.7

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienHIGH

BenutzerinteraktionNONE

Veroffentlicht11/27/2025

Zuletzt geandert12/2/2025

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

apache:cloudstack

Schwachen (CWE)

CWE-94CWE-94

Referenzen

https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788(security@apache.org)

http://www.openwall.com/lists/oss-security/2025/11/27/2(af854a3a-2127-422b-91ae-364da2661108)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.