Login Sign Up

CVE-2025-64336

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

ClipBucket v5 versions 5.5.2-#146 and below contain a stored XSS vulnerability in the Manage Photos feature. Authenticated regular users can inject malicious JavaScript into photo titles that executes when administrators view the admin panel. This allows attackers to perform actions with administrator privileges.

💻 Affected Systems

Products:
  • ClipBucket v5
Versions: 5.5.2-#146 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated regular user access. Admin panel must be accessible.

📦 What is this software?

Clipbucket by Oxygenz

View all CVEs affecting Clipbucket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to complete system compromise, data theft, or malware deployment.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized administrative actions.

🟢

If Mitigated

Limited impact due to proper input validation and output encoding.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and XSS can lead to account compromise.
🏢 Internal Only: MEDIUM - Requires authenticated user access but can still impact administrators.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access. Payload is simple HTML/JavaScript injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.2-#147

Vendor Advisory: https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-hjc2-5329-j49w

Restart Required: No

Instructions:

1. Backup your database and files. 2. Download version 5.5.2-#147 from GitHub releases. 3. Replace affected files with patched versions. 4. Clear any cached data.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize photo titles before storage

Implement HTML entity encoding for user input in photo title fields

Admin Panel Access Restriction

all

Restrict admin panel access to trusted IP addresses only

Add IP whitelisting to admin directory via .htaccess or web server config

🧯 If You Can't Patch

  • Disable photo uploads for regular users
  • Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running ClipBucket v5 version 5.5.2-#146 or earlier. Test by uploading a photo with <script>alert('test')</script> in title and checking admin panel.

Check Version:

Check includes/version.php or admin area for version information

Verify Fix Applied:

After patching, attempt the same XSS test. The script should not execute and should be displayed as plain text.

📡 Detection & Monitoring

Log Indicators:

  • Unusual photo uploads with HTML/JavaScript in titles
  • Multiple photo uploads from single user

Network Indicators:

  • POST requests to upload.php with script tags in parameters

SIEM Query:

source="web_logs" AND (uri="/upload.php" OR uri="/admin/manage_photos.php") AND (param="title" CONTAINS "<script>" OR param="title" CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-64336
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (12.6th percentile)
Published: November 7, 2025
Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64336, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)