{"id":"CVE-2025-59302","details":"In  Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.\n\n  *  quotaTariffCreate\n  *  quotaTariffUpdate\n  *  createSecondaryStorageSelector\n  *  updateSecondaryStorageSelector\n  *  updateHost\n  *  updateStorage\n\n\nThis issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.\n\nThe fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.","modified":"2026-04-10T05:31:57.735428Z","published":"2025-11-27T12:15:47.410Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/11/27/2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cloudstack","events":[{"introduced":"0574087284f8b646ebc41617cfd70b3a31e3ae94"},{"fixed":"4dc3931233bafb748d5fe2c7e0f6f3499d76bc3a"},{"introduced":"0"},{"last_affected":"f9513b47bf8cda46c2cee7e31d4d662346bc7399"}],"database_specific":{"versions":[{"introduced":"4.18.0.0"},{"fixed":"4.20.2.0"},{"introduced":"0"},{"last_affected":"4.21.0.0"}]}}],"versions":["4.18.0.0","4.20.0.0","4.20.1.0","4.21.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59302.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}]}