CVE-2018-7665

CRITICAL

Clip-bucket Clipbucket < 4.0.0 - Unrestricted File Upload

Title source: rule

Description

An issue was discovered in ClipBucket before 4.0.0 Release 4902. A malicious file can be uploaded via the name parameter to actions/beats_uploader.php or actions/photo_uploader.php, or the coverPhoto parameter to edit_account.php.

Exploits (1)

metasploit WORKING POC EXCELLENT

by www.sec-consult.com · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/clipbucket_fileupload_exec.rb

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://lists.openwall.net/full-disclosure/2018/02/27/1

[Exploit, Third Party Advisory] https://www.sec-consult.com/en/blog/advisories/os-command-injection-arbitrary-file-upload-sql-injection-in-clipbucket/index.html

Scores

CVSS v3 9.8

EPSS 0.7111

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

clip-bucket/clipbucket < 4.0.0

Published Mar 05, 2018

Tracked Since Feb 18, 2026