CVE-2025-5015 (GCVE-0-2025-5015)

Vulnerability from cvelistv5 – Published: 2025-06-25 16:23 – Updated: 2025-06-25 20:09
VLAI?
Title
Parsons AccuWeather Widget Cross-site Scripting
Summary
A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Parsons Parsons Utility Enterprise Data Management Affected: 5.18
Affected: 5.03
Affected: 4.02 , ≤ 4.26 (custom)
Affected: 3.30
Create a notification for this product.
Credits
Joshua Dillon reported this vulnerability to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5015",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T20:09:51.085948Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T20:09:56.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Parsons Utility Enterprise Data Management",
          "vendor": "Parsons",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "status": "affected",
              "version": "5.03"
            },
            {
              "lessThanOrEqual": "4.26",
              "status": "affected",
              "version": "4.02",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "3.30"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "AclaraONE Utility Portal",
          "vendor": "Parsons",
          "versions": [
            {
              "lessThan": "1.22",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joshua Dillon reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\u003c/span\u003e"
            }
          ],
          "value": "A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T16:23:54.248Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eParsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAclaraONE Hosted Users \u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.\u003cbr\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Parsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\n\n\n\n\nAclaraONE Hosted Users \u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\n\n\n\n\nAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received."
        }
      ],
      "source": {
        "advisory": "ICSA-25-175-06",
        "discovery": "EXTERNAL"
      },
      "title": "Parsons AccuWeather Widget Cross-site Scripting",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-5015",
    "datePublished": "2025-06-25T16:23:54.248Z",
    "dateReserved": "2025-05-20T17:51:22.600Z",
    "dateUpdated": "2025-06-25T20:09:56.654Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-5015\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-06-25T17:15:39.970\",\"lastModified\":\"2025-06-26T18:57:43.670\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de cross site scripting en el widget AccuWeather y Custom RSS que permite que un usuario no autenticado reemplace la URL de la fuente RSS por una maliciosa.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-5015\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-25T20:09:51.085948Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-25T20:08:10.680Z\"}}], \"cna\": {\"title\": \"Parsons AccuWeather Widget Cross-site Scripting\", \"source\": {\"advisory\": \"ICSA-25-175-06\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Joshua Dillon reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Parsons\", \"product\": \"Parsons Utility Enterprise Data Management\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.18\"}, {\"status\": \"affected\", \"version\": \"5.03\"}, {\"status\": \"affected\", \"version\": \"4.02\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.26\"}, {\"status\": \"affected\", \"version\": \"3.30\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Parsons\", \"product\": \"AclaraONE Utility Portal\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.22\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Parsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\\n\\n\\n\\n\\nAclaraONE Hosted Users \\u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\\n\\n\\n\\n\\nAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eParsons Utility Enterprise Data Management Users - This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAclaraONE Hosted Users \\u2013 This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eAclaraONE On Premise Users - End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.\u003cbr\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-06-25T16:23:54.248Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-5015\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-25T20:09:56.654Z\", \"dateReserved\": \"2025-05-20T17:51:22.600Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-06-25T16:23:54.248Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.