CVE-2024-54135

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Dec 6, 2024
CWE ID 502

Summary

CVE-2024-54135 affects ClipBucket V5, an open-source video hosting solution built with PHP. Versions 2.0 to 5.5.1 Revision 199 are vulnerable due to a PHP Deserialization issue. This vulnerability lies within the decode_key function in upload/photo_upload.php, which accepts user inputs without sanitization via collection GET parameter and photoIDS POST parameter. The decode_key function employs PHP's unserialize function as defined in upload/includes/classes/photos.class.php, allowing an adversary to inject maliciously crafted PHP serialized objects and exploit gadget chains to induce unintended application behavior. This vulnerability is rectified in 5.5.1 Revision 200.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share