CVE-2018-7664

Name of the Vulnerable Software and Affected Versions: ClipBucket versions prior to 4.0.0 Release 4902

Description: The issue is related to the lack of proper neutralization of special elements used in OS commands. This allows an attacker to inject any OS commands via shell metacharacters in the file name parameter to "/api/file uploader.php" or "/actions/file downloader.php" API endpoints. The exploitation of this issue may enable a remote attacker to execute arbitrary OS commands using the file name parameter.

Recommendations: For ClipBucket versions prior to 4.0.0 Release 4902, consider disabling the "/api/file uploader.php" and "/actions/file downloader.php" API endpoints until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using the file name parameter in the affected API endpoints until the issue is resolved.