CVE-2024-54135
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-54135
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-54135.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-54135
- Aliases
-
- GHSA-4523-mqmv-wrqx
- Published
- 2024-12-06T15:11:04.933Z
- Modified
- 2025-12-01T19:46:12.126178Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Untrusted Deserialization in ClipBucket-v5 Version 2.0 to 5.5.1 Revision 199
- Details
-
ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photoupload.php within the decodekey function. User inputs were supplied to this function without sanitization via collection GET parameter and photoIDS POST parameter respectively. The decode_key function invokes PHP unserialize function as defined in upload/includes/classes/photos.class.php. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200.
- Database specific
{ "cwe_ids": [ "CWE-502" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54135.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54135.json
- https://github.com/MacWarrior/clipbucket-v5/commit/76a829c088f0813ab3244a3bd0036111017409b0
- https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-4523-mqmv-wrqx
- https://nvd.nist.gov/vuln/detail/CVE-2024-54135