CVE-2024-54135

Name of the Vulnerable Software and Affected Versions: ClipBucket-v5 versions 2.0 through 5.5.1 Revision 199

Description: ClipBucket V5 provides open source video hosting with PHP. The issue exists in the upload/photo upload.php file, specifically within the decode key function. This function invokes the PHP unserialize function as defined in upload/includes/classes/photos.class.php. User inputs are supplied to this function without sanitization via the collection GET parameter and photoIDS POST parameter. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized objects and utilize gadget chains to cause unexpected behaviors of the application.

Recommendations: For ClipBucket-v5 versions 2.0 through 5.5.1 Revision 199, update to version 5.5.1 Revision 200 to fix the PHP Deserialization vulnerability. As a temporary workaround, consider disabling the decode key function in upload/photo upload.php until a patch is available. Restrict access to the upload/photo upload.php file to minimize the risk of exploitation. Avoid using the collection GET parameter and photoIDS POST parameter in the affected API endpoint until the issue is resolved.