{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.18.0.0" }, { "fixed": "4.20.2.0" }, { "introduced": "0" }, { "last_affected": "4.21.0.0" } ] }, "events": [ { "introduced": "0574087284f8b646ebc41617cfd70b3a31e3ae94" }, { "fixed": "4dc3931233bafb748d5fe2c7e0f6f3499d76bc3a" }, { "introduced": "0" }, { "last_affected": "f9513b47bf8cda46c2cee7e31d4d662346bc7399" } ], "repo": "https://github.com/apache/cloudstack", "type": "GIT" } ] } ], "details": "In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.\n\n * quotaTariffCreate\n * quotaTariffUpdate\n * createSecondaryStorageSelector\n * updateSecondaryStorageSelector\n * updateHost\n * updateStorage\n\n\nThis issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.\n\nThe fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.", "id": "CVE-2025-59302", "modified": "2026-03-15T21:45:49.450587202Z", "published": "2025-11-27T12:15:47.410Z", "references": [ { "type": "ADVISORY", "url": "https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788" }, { "type": "ADVISORY", "url": "http://www.openwall.com/lists/oss-security/2025/11/27/2" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "type": "CVSS_V3" } ] }