CVE-2025-21624

Jan. 7, 2025, 5:15 p.m.

9.8
Critical

Description

ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 239, a file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an attacker can upload a PHP script file instead of an image file, thus allowing a webshell or other malicious files to be stored and executed on the server. This attack vector exists in both the admin area and low-level user area. This vulnerability is fixed in 5.5.1 - 239.

Product(s) Impacted

Product Versions
ClipBucket
  • 5.5.1 - 239

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

References

https://github.com/MacWarrior/clipbucket-v5/commit/893bfb0f1236c4a59b5e2843ab8d27a1e491b12b
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-98vm-2xqm-xrcc
https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-98vm-2xqm-xrcc

Tags

security-advisories@github.com
CWE-434
2025-01-07
CVE-2025-21624

CVSS Score

9.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Jan. 7, 2025, 4:15 p.m.
Last Modified: Jan. 7, 2025, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.