M0X41Nos

**Name of the Vulnerable Software and Affected Versions** ClipBucket versions prior to 5.5.3 **Description** ClipBucket is an open source video sharing platform. A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the avatar and background image upload functionality. The application moves uploaded files to a web-accessible location before validating them, allowing an attacker to potentially execute arbitrary PHP code before the file is deleted. The vulnerability occurs because the uploaded file is moved to a web-accessible path using the `move uploaded file()` function, then validated using `ValidateImage()`. If validation fails, the file is deleted using `@unlink()`. **Recommendations** Update to version 5.5.3 or later.