Cross-Site Scripting Vulnerability in AccuWeather and Custom RSS Widget
CVE-2025-5015

8.8HIGH

Key Information:

Vendor

Parsons

Status
Parsons Utility Enterprise Data Management
Aclaraone Utility Portal
Vendor
CVE Published:
25 June 2025

What is CVE-2025-5015?

A cross-site scripting vulnerability in the AccuWeather and Custom RSS widget allows an unauthenticated user to manipulate the RSS feed URL and inject malicious scripts. This exposes users to potential attacks, as malicious content can be executed in their browsers when they view the affected widget. Protection against such vulnerabilities is critical to ensure user safety and data integrity.

Affected Version(s)

AclaraONE Utility Portal 0 < 1.22

Parsons Utility Enterprise Data Management 5.18

Parsons Utility Enterprise Data Management 5.03

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joshua Dillon reported this vulnerability to CISA.
.
CVE-2025-5015 : Cross-Site Scripting Vulnerability in AccuWeather and Custom RSS Widget