Listen to this Post
In ClipBucket v5 versions 5.5.2-146 and prior, a stored cross-site scripting vulnerability exists in the Manage Photos feature. Authenticated regular users can upload a photo and set a malicious photo containing HTML or JavaScript code. The application stores this in the database without proper input sanitization. While user-facing pages like the photo gallery safely encode the output, the administrative interface (Admin → Manage Photos) fails to apply adequate output encoding when rendering photo s. This flaw allows the injected script to execute in the context of an administrator’s browser when they view the management page. The JavaScript execution occurs with administrative privileges, enabling actions such as session hijacking, data theft, or further system compromise. The vulnerability stems from insufficient validation of user-controlled input and lack of server-side escaping in the admin panel. The fix in version 5.5.2-147 addresses this by implementing proper HTML entity encoding for the photo field in all administrative displays.
Platform: ClipBucket v5
Version: 5.5.2-146 below
Vulnerability: Stored XSS
Severity: Medium
Date: 11/07/2025
Prediction: Patch 147 released
What Undercode Say:
Analytics:
Sample XSS payload
Curl upload test
curl -F “=” -F “[email protected]” $TARGET/upload
How Exploit:
Authenticated user uploads malicious photo . Admin views Manage Photos, executing script.
Protection from this CVE:
Update to 5.5.2-147. Implement output encoding. Use CSP headers.
Impact:
Session hijacking, privilege escalation, data theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
