PT-2017-3600 · Clipbucket · Clipbucket

Ahmad Ramadhan Amizudin

Published

2017-10-17

Updated

2018-03-27

CVE-2018-7665

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: ClipBucket versions prior to 4.0.0 Release 4902

Description: The issue allows a remote attacker to upload malicious files to the server using the name parameter in the /actions/beats uploader.php or /actions/photo uploader.php API endpoints, or the coverPhoto parameter in the edit account.php endpoint.

Recommendations: For ClipBucket versions prior to 4.0.0 Release 4902, update to version 4.0.0 Release 4902 or later to resolve the issue. As a temporary workaround, consider restricting access to the beats uploader.php, photo uploader.php, and edit account.php scripts to minimize the risk of exploitation. Avoid using the name and coverPhoto parameters in the affected API endpoints until the issue is resolved.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

BDU:2018-00547

CVE-2018-7665

Affected Products

Clipbucket

PT-2017-3600 · Clipbucket · Clipbucket

CVE-2018-7665

Weakness Enumeration

Related Identifiers

Affected Products

References · 6