CVE-2025-62430
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-11-10

Assigner: GitHub, Inc.

Description
ClipBucket v5 is an open source video sharing platform. ClipBucket v5 through build 5.5.2 #145 allows stored cross-site scripting (XSS) in multiple video and photo metadata fields. For videos the Tags field and the Genre, Actors, Producer, Executive Producer, and Director fields in Movieinfos accept user supplied values without adequate sanitization. For photos the Photo Title and Photo Tags fields accept user supplied values without adequate sanitization. A regular user who can edit a video or photo can inject script (for example by supplying a value such as a closing delimiter followed by a script element). The injected script executes when any user, including an unauthenticated visitor or an administrator, views the affected video or photo page. Although cookies are set with the HttpOnly attribute and cannot be read directly, the injected script can issue fetch requests to endpoints such as admin_area pages and exfiltrate their contents or trigger unintended actions. Version 5.5.2 build #146 and later contain a fix. Update to build 5.5.2 #146 or later. No known workarounds exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-11-10
Generated
2026-05-07
AI Q&A
2025-10-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-62430
EUVD
EUVD-2025-34915
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxygenz clipbucket From 5.3 (inc) to 5.5.2-146 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a stored cross-site scripting (XSS) issue in ClipBucket v5 through build 5.5.2 #145. It occurs because multiple video and photo metadata fields accept user-supplied values without proper sanitization. An attacker with permission to edit a video or photo can inject malicious scripts into fields like Tags, Genre, Actors, Producer, Executive Producer, Director for videos, and Photo Title and Photo Tags for photos. When any user, including unauthenticated visitors or administrators, views the affected page, the injected script executes. Although cookies are protected with HttpOnly, the script can still perform actions such as sending fetch requests to admin pages and exfiltrating data or triggering unintended actions.


How can this vulnerability impact me? :

This vulnerability can allow attackers to execute malicious scripts in the context of the affected website, potentially leading to unauthorized data access or manipulation. The injected scripts can exfiltrate sensitive information from admin pages or trigger unintended actions, compromising the integrity and confidentiality of the platform. This can affect all users, including administrators and unauthenticated visitors, leading to potential data breaches or unauthorized control over site functions.


What immediate steps should I take to mitigate this vulnerability?

Update ClipBucket to version 5.5.2 build #146 or later, as these versions contain a fix for the stored cross-site scripting vulnerability. No known workarounds exist.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart