ClipBucket Stored Cross-Site Scripting Vulnerability in Video and Photo Metadata

A stored cross-site scripting vulnerability has been identified in ClipBucket version 5.5.2 prior to 5.5.2 #146. This issue affects multiple fields in the video and photo metadata sections, allowing users to inject malicious scripts that are executed when the content is viewed. In the video metadata, the Tags field and several other fields in Movieinfos are vulnerable. For photos, the Photo Title and Photo Tags fields are affected. The injected scripts can execute fetch requests to exfiltrate data from admin area pages, despite cookies being protected with the HttpOnly attribute.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts, which can be used to steal information or perform actions on behalf of the user, potentially leading to phishing attacks.

Reproduction

To reproduce this vulnerability, a regular user can edit a video or photo and inject a script into the vulnerable metadata fields. Once the injection is made, the script will execute when the video or photo page is viewed, including by administrators and unauthenticated users.

Remediation

Users are advised to update to ClipBucket version 5.5.2 #146 or later, where this vulnerability has been fixed.