Search criteria
1 vulnerability by Parsons
CVE-2025-5015 (GCVE-0-2025-5015)
Vulnerability from cvelistv5 ā Published: 2025-06-25 16:23 ā Updated: 2025-06-25 20:09
VLAI?
Title
Parsons AccuWeather Widget Cross-site Scripting
Summary
A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.
Severity ?
8.8 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Parsons | Parsons Utility Enterprise Data Management |
Affected:
5.18
Affected: 5.03 Affected: 4.02 , ā¤ 4.26 (custom) Affected: 3.30 |
|||||||
|
|||||||||
Credits
Joshua Dillon reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T20:09:51.085948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T20:09:56.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Parsons Utility Enterprise Data Management",
"vendor": "Parsons",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"status": "affected",
"version": "5.03"
},
{
"lessThanOrEqual": "4.26",
"status": "affected",
"version": "4.02",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.30"
}
]
},
{
"defaultStatus": "unaffected",
"product": "AclaraONE Utility Portal",
"vendor": "Parsons",
"versions": [
{
"lessThan": "1.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Dillon reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\u003c/span\u003e"
}
],
"value": "A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T16:23:54.248Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eParsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAclaraONE Hosted Users \u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.\u003cbr\u003e\n\n\u003cbr\u003e"
}
],
"value": "Parsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\n\n\n\n\nAclaraONE Hosted Users \u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\n\n\n\n\nAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received."
}
],
"source": {
"advisory": "ICSA-25-175-06",
"discovery": "EXTERNAL"
},
"title": "Parsons AccuWeather Widget Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-5015",
"datePublished": "2025-06-25T16:23:54.248Z",
"dateReserved": "2025-05-20T17:51:22.600Z",
"dateUpdated": "2025-06-25T20:09:56.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}