CVE-2025-5015 (GCVE-0-2025-5015)
Vulnerability from cvelistv5
Published
2025-06-25 16:23
Modified
2025-06-25 20:09
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
Summary
A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.
References
Impacted products
Vendor Product Version
Parsons Parsons Utility Enterprise Data Management Version: 5.18
Version: 5.03
Version: 4.02   <
Version: 3.30
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5015",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T20:09:51.085948Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T20:09:56.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Parsons Utility Enterprise Data Management",
          "vendor": "Parsons",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "status": "affected",
              "version": "5.03"
            },
            {
              "lessThanOrEqual": "4.26",
              "status": "affected",
              "version": "4.02",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "3.30"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AclaraONE Utility Portal",
          "vendor": "Parsons",
          "versions": [
            {
              "lessThan": "1.22",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joshua Dillon reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\u003c/span\u003e"
            }
          ],
          "value": "A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T16:23:54.248Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eParsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAclaraONE Hosted Users \u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.\u003cbr\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Parsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\n\n\n\n\nAclaraONE Hosted Users \u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\n\n\n\n\nAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received."
        }
      ],
      "source": {
        "advisory": "ICSA-25-175-06",
        "discovery": "EXTERNAL"
      },
      "title": "Parsons AccuWeather Widget Cross-site Scripting",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-5015",
    "datePublished": "2025-06-25T16:23:54.248Z",
    "dateReserved": "2025-05-20T17:51:22.600Z",
    "dateUpdated": "2025-06-25T20:09:56.654Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-5015\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-06-25T17:15:39.970\",\"lastModified\":\"2025-06-26T18:57:43.670\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de cross site scripting en el widget AccuWeather y Custom RSS que permite que un usuario no autenticado reemplace la URL de la fuente RSS por una maliciosa.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-5015\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-25T20:09:51.085948Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-25T20:08:10.680Z\"}}], \"cna\": {\"title\": \"Parsons AccuWeather Widget Cross-site Scripting\", \"source\": {\"advisory\": \"ICSA-25-175-06\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Joshua Dillon reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Parsons\", \"product\": \"Parsons Utility Enterprise Data Management\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.18\"}, {\"status\": \"affected\", \"version\": \"5.03\"}, {\"status\": \"affected\", \"version\": \"4.02\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.26\"}, {\"status\": \"affected\", \"version\": \"3.30\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Parsons\", \"product\": \"AclaraONE Utility Portal\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.22\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Parsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\\n\\n\\n\\n\\nAclaraONE Hosted Users \\u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\\n\\n\\n\\n\\nAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eParsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAclaraONE Hosted Users \\u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.\u003cbr\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-06-25T16:23:54.248Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-5015\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-25T20:09:56.654Z\", \"dateReserved\": \"2025-05-20T17:51:22.600Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-06-25T16:23:54.248Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.