CRITICAL🇵🇱 Wersja polska

CVE-2024-54135

CVSS 9.8v3.1pub. 2024-12-06upd. 2025-09-22

ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php within the decode_key function. User inputs were supplied to this function without sanitization via collection GET parameter and photoIDS POST parameter respectively. The decode_key function invokes PHP unserialize function as defined in upload/includes/classes/photos.class.php. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200.

🤖 AI Analysis
How it works

The vulnerability is located in the upload/photo_upload.php file in the decode_key function, which calls the built-in PHP unserialize function (defined in upload/includes/classes/photos.class.php). Input data is passed to this function without any sanitization — through a GET parameter named collection and a POST parameter named photoIDS. An attacker can provide a crafted serialized PHP object and then exploit available gadget chains to trigger unwanted application behavior, such as remote code execution (RCE).

Impact

An unauthenticated attacker can gain full control over the server — including confidentiality, integrity, and availability of data — through remote code execution (RCE) using gadget chains.

Mitigation & patch

ClipBucket V5 should be updated to version 5.5.1 Revision 200, in which the vulnerability has been fixed. The patch is available in the project's GitHub repository (commit 76a829c088f0813ab3244a3bd0036111017409b0).

Who is affected

ClipBucket V5 in versions from 2.0 to 5.5.1 Revision 199 (inclusive)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oxygenz Clipbucket

    APP
    Oxygenz
    2.0 – 5.5.1-200 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2026-25728CRITICAL9.3PL ✓ten sam produkt

TOCTOU Race Condition w ClipBucket umożliwia wykonanie kodu PHP

CVE-2026-21875CRITICAL9.8PL ✓ten sam produkt

Blind SQL Injection w ClipBucket v5 — sekcja komentarzy kanału

CVE-2025-67418CRITICAL9.8PL ✓ten sam produkt

ClipBucket 5.5.2 — hardcoded domyślne dane logowania w panelu admina

CVE-2025-21624CRITICAL9.8PL ✓ten sam produkt

ClipBucket V5 — nieograniczony upload plików PHP przez funkcję playlist

CVE-2024-54136CRITICAL9.8PL ✓ten sam produkt

PHP Deserialization w ClipBucket V5 umożliwia zdalne wykonanie kodu