{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64339", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-30T17:40:52.030Z", "datePublished": "2025-11-07T05:12:37.704Z", "dateUpdated": "2025-11-07T17:33:46.877Z"}, "containers": {"cna": {"title": "ClipBucket v5: Stored XSS Vulnerability in Manage Playlists", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv"}, {"name": "https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc", "tags": ["x_refsource_MISC"], "url": "https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc"}], "affected": [{"vendor": "MacWarrior", "product": "clipbucket-v5", "versions": [{"version": "< 5.5.2-#147", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-07T05:12:37.704Z"}, "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting (XSS),specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML/JavaScript code, which is rendered unescaped on playlist detail and listing pages. This results in arbitrary JavaScript execution in every viewer\u2019s browser, including administrators. This issue is fixed in version 5.5.2-#147."}], "source": {"advisory": "GHSA-c695-m4g4-v3fv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-07T17:29:37.164466Z", "id": "CVE-2025-64339", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-07T17:33:46.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64339", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-07T17:29:37.164466Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-07T17:30:44.425Z"}}], "cna": {"title": "ClipBucket v5: Stored XSS Vulnerability in Manage Playlists", "source": {"advisory": "GHSA-c695-m4g4-v3fv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MacWarrior", "product": "clipbucket-v5", "versions": [{"status": "affected", "version": "< 5.5.2-#147"}]}], "references": [{"url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv", "name": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc", "name": "https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting (XSS),specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML/JavaScript code, which is rendered unescaped on playlist detail and listing pages. This results in arbitrary JavaScript execution in every viewer\u2019s browser, including administrators. This issue is fixed in version 5.5.2-#147."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-07T05:12:37.704Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64339", "state": "PUBLISHED", "dateUpdated": "2025-11-07T17:33:46.877Z", "dateReserved": "2025-10-30T17:40:52.030Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-07T05:12:37.704Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*", "matchCriteriaId": "31214EBB-325C-478D-9E78-FACDB17B17D2", "versionEndExcluding": "5.5.2-147", "versionStartIncluding": "5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ClipBucket v5 is an open source video sharing platform. In versions 5.5.2-#146 and below, the Manage Playlists feature is vulnerable to stored Cross-site Scripting (XSS),specifically in the Playlist Name field. An authenticated low-privileged user can create a playlist with a malicious name containing HTML/JavaScript code, which is rendered unescaped on playlist detail and listing pages. This results in arbitrary JavaScript execution in every viewer\u2019s browser, including administrators. This issue is fixed in version 5.5.2-#147."}, {"lang": "es", "value": "ClipBucket v5 es una plataforma de c\u00f3digo abierto para compartir videos. En las versiones 5.5.2-#146 e inferiores, la funci\u00f3n 'Manage Playlists' (Gestionar Listas de Reproducci\u00f3n) es vulnerable a 'cross-site scripting' (XSS) almacenado, espec\u00edficamente en el campo 'Playlist Name' (Nombre de la Lista de Reproducci\u00f3n). Un usuario autenticado con bajos privilegios puede crear una lista de reproducci\u00f3n con un nombre malicioso que contenga c\u00f3digo HTML/JavaScript, el cual se renderiza sin escapar en las p\u00e1ginas de detalle y listado de las listas de reproducci\u00f3n. Esto resulta en la ejecuci\u00f3n arbitraria de JavaScript en el navegador de cada espectador, incluyendo a los administradores. Este problema est\u00e1 solucionado en la versi\u00f3n 5.5.2-#147."}], "id": "CVE-2025-64339", "lastModified": "2025-11-26T15:42:24.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-11-07T06:15:33.477", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-c695-m4g4-v3fv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-11-07T10:53:39.459130+00:00", "updated": "2025-11-07T10:53:39.459191+00:00", "vendors": ["clip-bucket", "clip-bucket$PRODUCT$clipbucket"]}