{"id":"CVE-2025-22829","details":"The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.\n\nQuota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.","modified":"2026-04-10T05:22:46.484420Z","published":"2025-06-10T23:15:22.740Z","references":[{"type":"ADVISORY","url":"https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"},{"type":"ADVISORY","url":"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cloudstack","events":[{"introduced":"0"},{"last_affected":"2fe3fcef7c77cf9a1b629c9df3afc0cdb88ad4f6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.20.0.0"}]}}],"versions":["4.12.0.0","4.16.0.0","4.17.0.0","4.18.0.0","4.20.0.0","acton-beta1-prerelease-1","ovm3","tag-3.0.1-prerelease-1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22829.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}