Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-hgmv-qpw9-xrfq

Опубликовано: 27 нояб. 2025
Источник: github
Github: Не прошло ревью
CVSS3: 4.7

Описание

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.

  • quotaTariffCreate
  • quotaTariffUpdate
  • createSecondaryStorageSelector
  • updateSecondaryStorageSelector
  • updateHost
  • updateStorage

This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.

The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.

  • quotaTariffCreate
  • quotaTariffUpdate
  • createSecondaryStorageSelector
  • updateSecondaryStorageSelector
  • updateHost
  • updateStorage

This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.

The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

Ссылки

EPSS

Процентиль: 26%
0.00088
Низкий

4.7 Medium

CVSS3

CVE ID

CVE-2025-59302

Дефекты

CWE-94

Связанные уязвимости

nvd логотип

CVE-2025-59302

CVSS3: 4.7
nvd
2 месяца назад

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

EPSS

Процентиль: 26%
0.00088
Низкий

4.7 Medium

CVSS3

CVE ID

CVE-2025-59302

Дефекты

CWE-94