SohuTV CacheCloud Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions prior to 3.2.0. The issue arises in the 'doMachineList' and 'doPodList' functions within the 'MachineManageController.java' file. This vulnerability allows remote attackers to inject malicious scripts, which are then executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the '/manage/machine/list' or '/manage/machine/pod/changelist' endpoint with user-controllable parameters that are not properly encoded. This can be done using a tool like 'requests' in Python, by including a malicious payload in the 'ip' or 'tabTag' parameter. The injected script will be executed in the user's browser, demonstrating the cross-site scripting vulnerability.