CVE-2024-54136

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: ClipBucket-v5 versions 5.5.1 Revision 199 and below

Description: The issue exists in the upload/upload.php file where user-supplied input via the collection get parameter is directly provided to the unserialize function, allowing an adversary to inject maliciously crafted PHP serialized objects and utilize gadget chains to cause unexpected application behaviors.

Recommendations: For ClipBucket-v5 versions 5.5.1 Revision 199 and below, update to Revision 200 or later to resolve the issue. As a temporary workaround, consider restricting access to the upload/upload.php file or disabling the unserialize function for the collection get parameter until a patch is applied.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2024-54136

GHSA-VXVF-5CMQ-5F78

Affected Products

Clipbucket-V5

CVE-2024-54136

Weakness Enumeration

Related Identifiers

Affected Products

References · 8