ClipBucket Stored Cross-Site Scripting Vulnerability in Manage Playlists Feature

A stored cross-site scripting vulnerability has been identified in ClipBucket version 5.5.2-#146 and earlier, specifically within the Manage Playlists feature. The issue arises in the Playlist Name field, where an authenticated low-privileged user can input a name containing HTML or JavaScript. This malicious code is then rendered without proper escaping on both the playlist detail and listing pages, allowing for the execution of arbitrary JavaScript in the browsers of all viewers, including administrators.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the playlist.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and navigate to the Manage Playlists section. Create a new playlist and enter a malicious payload, such as an image tag with an error event handler, into the Playlist Name field. Once the playlist is saved, the injected script will execute when the playlist is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to ClipBucket version 5.5.2-#147 or later, where this vulnerability has been fixed.