CVE-2025-62430 is a stored cross-site scripting (XSS) vulnerability identified in the open-source video sharing platform ClipBucket v5, specifically in versions prior to build 5.5.2 #146. The vulnerability arises from improper input sanitization in multiple metadata fields associated with videos and photos. For videos, the Tags, Genre, Actors, Producer, Executive Producer, and Director fields within Movieinfos accept user-supplied input without adequate neutralization of potentially malicious content. Similarly, for photos, the Photo Title and Photo Tags fields are vulnerable. An authenticated user with permission to edit videos or photos can inject malicious JavaScript code by inserting crafted input, such as a closing HTML delimiter followed by a script element. This malicious script is stored persistently and executes whenever any user, including unauthenticated visitors or administrators, views the affected media page. Although cookies are protected with the HttpOnly attribute, preventing direct theft via JavaScript, the injected script can still issue fetch requests to sensitive endpoints like admin_area pages. This capability allows attackers to exfiltrate sensitive data or trigger unauthorized actions on behalf of the victim. The vulnerability does not require any privileges beyond edit rights, and user interaction is necessary to trigger the script execution (i.e., viewing the affected page). The CVSS v3.1 base score is 5.4, reflecting a medium severity level due to the potential for confidentiality and integrity impact but no direct availability impact. The vendor has addressed this issue in build 5.5.2 #146 and later versions. No known workarounds exist, making timely patching essential to mitigate exploitation risks. There are no known exploits in the wild at the time of publication.

For European organizations using vulnerable versions of ClipBucket v5, this XSS vulnerability poses a significant risk to confidentiality and integrity of sensitive information. Attackers with edit permissions can inject malicious scripts that execute in the context of any user viewing the affected media pages, including administrators. This can lead to unauthorized data exfiltration from administrative interfaces, manipulation of platform content, or triggering of unintended administrative actions. The impact is particularly critical for organizations hosting sensitive or proprietary video/photo content or managing user data through ClipBucket. Exploitation could undermine trust in the platform, lead to data breaches involving personal or corporate information, and potentially facilitate further attacks within the organization’s network. Given that the vulnerability requires only edit permissions and user interaction, insider threats or compromised user accounts could be leveraged to exploit this flaw. The absence of workarounds increases the urgency for patching. European entities relying on ClipBucket for media sharing or content management should prioritize updates to prevent exploitation and maintain compliance with data protection regulations such as GDPR.

1. Immediately upgrade ClipBucket v5 installations to build 5.5.2 #146 or later, where the vulnerability is fixed. 2. Restrict edit permissions strictly to trusted users to minimize the risk of malicious script injection. 3. Implement additional input validation and sanitization at the application layer for all user-supplied metadata fields, even post-patch, to provide defense in depth. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 5. Monitor logs and user activity for unusual behavior indicative of exploitation attempts, especially edits to video/photo metadata fields. 6. Educate administrators and content editors about the risks of XSS and safe content handling practices. 7. Regularly audit and review user permissions and ClipBucket configurations to ensure adherence to the principle of least privilege. 8. If feasible, isolate the ClipBucket platform within a segmented network zone to limit lateral movement in case of compromise.