### [CVE-2024-54136](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54136)
![](https://img.shields.io/static/v1?label=Product&message=clipbucket-v5&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%205.5.1%20Revision%20141%2C%20%3C%205.5.1%20Revision%20200%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502%3A%20Deserialization%20of%20Untrusted%20Data&color=brightgreen)

### Description

ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 5.5.1 Revision 199 and below is vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/upload.php where the user supplied input via collection get parameter is directly provided to unserialize function. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200.

### POC

#### Reference
- https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-vxvf-5cmq-5f78

#### Github
No PoCs found on GitHub currently.