Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-22829

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

Published

2025-06-10T23:15:22.740

Last Modified

2025-06-25T19:38:05.817

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	cloudstack	4.20.0.0	Yes

References

https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 Third Party Advisory ([email protected])
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60 Mailing List, Vendor Advisory ([email protected])
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/ Broken Link ([email protected])