CVE-2025-62424
BaseFortify
Publication date: 2025-10-17
Last updated on: 2025-11-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oxygenz | clipbucket | From 5.3 (inc) to 5.5.2-147 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ClipBucket version 5.5.2 - #146 and earlier, specifically in the /admin_area/template_editor.php endpoint. It is a path traversal vulnerability where the validation of the file-loading path is insufficient. This allows authenticated administrators to use path traversal sequences in the folder parameter to read and write arbitrary files outside the intended template directory.
How can this vulnerability impact me? :
An attacker with administrator privileges can exploit this vulnerability to read sensitive files such as /etc/passwd and modify writable files on the system. This can lead to sensitive information disclosure and potentially compromise the application or the server.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ClipBucket to version 5.5.2 - #147 or later, where the path traversal vulnerability in /admin_area/template_editor.php is fixed. Additionally, restrict administrator access to trusted users only and monitor for any unauthorized file access or modifications.