CVE-2025-64339
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-11-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oxygenz | clipbucket | From 5.3 (inc) to 5.5.2-147 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-site Scripting (XSS) issue in ClipBucket v5 versions 5.5.2-#146 and below. It occurs in the Manage Playlists feature, specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML or JavaScript code. This code is stored and then rendered unescaped on playlist detail and listing pages, causing arbitrary JavaScript to execute in the browsers of anyone viewing the playlist, including administrators.
How can this vulnerability impact me? :
The vulnerability allows an attacker with low privileges to execute arbitrary JavaScript code in the browsers of users who view the malicious playlist, including administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential compromise of the entire application or user accounts.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ClipBucket to version 5.5.2-#147 or later, where the stored Cross-site Scripting (XSS) vulnerability in the Manage Playlists feature is fixed. Additionally, restrict playlist creation permissions to trusted users and monitor for suspicious playlist names containing HTML or JavaScript code.