nvd-json-data-feeds/CVE-2024/CVE-2024-541xx/CVE-2024-54135.json

{
  "id": "CVE-2024-54135",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-12-06T16:15:22.340",
  "lastModified": "2024-12-06T16:15:22.340",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php  within the decode_key function. User inputs were supplied to this function without sanitization via collection GET parameter and photoIDS POST parameter respectively. The decode_key function invokes PHP unserialize function as defined in upload/includes/classes/photos.class.php. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200."
    },
    {
      "lang": "es",
      "value": "ClipBucket V5 ofrece alojamiento de v\u00eddeo de c\u00f3digo abierto con PHP. Las versiones 2.0 a 5.5.1 de ClipBucket-v5, revisi\u00f3n 199, son vulnerables a la vulnerabilidad de deserializaci\u00f3n de PHP. La vulnerabilidad existe en upload/photo_upload.php dentro de la funci\u00f3n decode_key. Las entradas del usuario se suministraban a esta funci\u00f3n sin sanitizaci\u00f3n a trav\u00e9s del par\u00e1metro GET de recopilaci\u00f3n y el par\u00e1metro POST de photoIDS respectivamente. La funci\u00f3n decode_key invoca la funci\u00f3n de deserializaci\u00f3n de PHP definida en upload/includes/classes/photos.class.php. Como resultado, es posible que un adversario inyecte un objeto serializado PHP manipulado con fines malintencionados y utilice cadenas de gadgets para provocar comportamientos inesperados en la aplicaci\u00f3n. Esta vulnerabilidad se ha corregido en la versi\u00f3n 5.5.1, revisi\u00f3n 200."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/MacWarrior/clipbucket-v5/commit/76a829c088f0813ab3244a3bd0036111017409b0",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-4523-mqmv-wrqx",
      "source": "security-advisories@github.com"
    }
  ]
}
Auto-Update: 2024-12-06T17:00:25.808731+00:00 2024-12-06 17:03:37 +00:00			`{`
			`"id": "CVE-2024-54135",`
			`"sourceIdentifier": "security-advisories@github.com",`
			`"published": "2024-12-06T16:15:22.340",`
			`"lastModified": "2024-12-06T16:15:22.340",`
Auto-Update: 2024-12-15T03:00:19.262894+00:00 2024-12-15 03:03:56 +00:00			`"vulnStatus": "Awaiting Analysis",`
Auto-Update: 2024-12-06T17:00:25.808731+00:00 2024-12-06 17:03:37 +00:00			`"cveTags": [],`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			"value": "ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php within the decode_key function. User inputs were supplied to this function without sanitization via collection GET parameter and photoIDS POST parameter respectively. The decode_key function invokes PHP unserialize function as defined in upload/includes/classes/photos.class.php. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200."
Auto-Update: 2024-12-15T03:00:19.262894+00:00 2024-12-15 03:03:56 +00:00			`},`
			`{`
			`"lang": "es",`
			"value": "ClipBucket V5 ofrece alojamiento de v\u00eddeo de c\u00f3digo abierto con PHP. Las versiones 2.0 a 5.5.1 de ClipBucket-v5, revisi\u00f3n 199, son vulnerables a la vulnerabilidad de deserializaci\u00f3n de PHP. La vulnerabilidad existe en upload/photo_upload.php dentro de la funci\u00f3n decode_key. Las entradas del usuario se suministraban a esta funci\u00f3n sin sanitizaci\u00f3n a trav\u00e9s del par\u00e1metro GET de recopilaci\u00f3n y el par\u00e1metro POST de photoIDS respectivamente. La funci\u00f3n decode_key invoca la funci\u00f3n de deserializaci\u00f3n de PHP definida en upload/includes/classes/photos.class.php. Como resultado, es posible que un adversario inyecte un objeto serializado PHP manipulado con fines malintencionados y utilice cadenas de gadgets para provocar comportamientos inesperados en la aplicaci\u00f3n. Esta vulnerabilidad se ha corregido en la versi\u00f3n 5.5.1, revisi\u00f3n 200."
Auto-Update: 2024-12-06T17:00:25.808731+00:00 2024-12-06 17:03:37 +00:00			`}`
			`],`
			`"metrics": {`
			`"cvssMetricV31": [`
			`{`
			`"source": "security-advisories@github.com",`
			`"type": "Secondary",`
			`"cvssData": {`
			`"version": "3.1",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",`
			`"baseScore": 9.8,`
			`"baseSeverity": "CRITICAL",`
			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "NONE",`
			`"userInteraction": "NONE",`
			`"scope": "UNCHANGED",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"availabilityImpact": "HIGH"`
			`},`
			`"exploitabilityScore": 3.9,`
			`"impactScore": 5.9`
			`}`
			`]`
			`},`
			`"weaknesses": [`
			`{`
			`"source": "security-advisories@github.com",`
			`"type": "Primary",`
			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-502"`
			`}`
			`]`
			`}`
			`],`
			`"references": [`
			`{`
			`"url": "https://github.com/MacWarrior/clipbucket-v5/commit/76a829c088f0813ab3244a3bd0036111017409b0",`
			`"source": "security-advisories@github.com"`
			`},`
			`{`
			`"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-4523-mqmv-wrqx",`
			`"source": "security-advisories@github.com"`
			`}`
			`]`
			`}`