ClipBucket v5 is an open-source PHP video and photo sharing platform. It is the newer and upgraded version of the original ClipBucket platform, which is no longer actively maintained.
The following four high-critical vulnerabilities were reported and responsibly disclosed to the Clipbucket v5 development team by Masumi Arafune and Ka Wing Ho, Senior Consultants within the Sekuro Offensive Security Team.
These CVEs are rated 7.5 High to 9.8 Critical by NIST. The timely disclosure to Clipbucket by the Sekuro team obviated security vulnerabilities, which would have enabled adversaries to delete application source files and other unauthorised access, leaving the door open for remote code execution and application takeover.
Read the full advisories via the links below.
Background
Some background information to note:
- The application allows self-registration of regular user accounts by default, however this feature could potentially be toggled on/off by admins.
- The application uses flat files to determine installation success at the time of writing, therefore strategic deletion of certain files would allow attackers to take over the application.
Untrusted Deserialization
(CVE-2024-54135, CVE-2024-54136 – CVSS 7.5)
A photo upload endpoint was found to be unsafely deserialising user-supplied input via the decode_key function. A serialised Smarty File Deletion payload (generated via PHPGGC) could be sent and deserialised, leading to arbitrary file deletion, the application state being reset and opportunity for takeover.
Full writeups(s) available here and here.
Path Traversal to Arbitrary File Delete (CVE-2025-21622 – CVSS 7.5)
The user profile page allowed users to upload files or specify URLs to point to for profile images. The same functionality also allowed users to remove the image, which was equivalent to removing the uploaded file on the filesystem. This functionality was found to be vulnerable to path traversal when specifying traversal sequences in the Image URL, thus leading to arbitrary file deletion as well.
Full writeup available here.
Unauthenticated Denial-of-Service (CVE-2025-21623 – CVSS 7.5)
The application used the Smarty templating engine to manage rendering of View components. A set_the_template function could be used to specify a template used by the engine via GET parameters, however the function did not appropriately check for authentication. Therefore, a single unauthenticated GET request could be sent to overwrite the existing template value in the database, causing the templating engine to break and the entire frontend to become unusable to all users.
Full writeup available here.
File Upload to Remote Code Execution (CVE-2025-21624 – CVSS 9.8)
The application allowed users to upload custom playlist images via the Manage Playlist feature. However, it did not appropriately restrict user-uploaded files based on filetype, file contents, or even the filename. This allowed users to supply a malicious PHP webshell to be saved on the filesystem and later accessed to gain RCE on the system. The feature was subsequently removed entirely as it was deemed to be legacy/unfinished.
Full writeup available here.
An OffSec lab machine has also been created leveraging this particular vulnerability.
Outcome of the Code Review
The maintainers were quick to respond and patch the vulnerabilities. To learn more about Source Code Review at Sekuro, visit our application security services.
