ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application.
ClipBucket 5.5.2 is deployed with default, hardcoded credentials for the administration panel (CWE-798 — use of hardcoded credentials). Without any prior authentication, an attacker can use these known, publicly available credentials to gain access to the administrative interface. No user interaction or knowledge of the target environment specifics is required — network access to the application management panel is sufficient.
Attacker gains full administrative control over the application, which may lead to account takeover, data leaks, content modification, and potential further compromise of server infrastructure.
Default administrator credentials must be changed immediately after each installation or application update. It is recommended to apply patches available from the vendor according to references. Until the update is applied, access to the administration panel should be restricted exclusively to trusted IP addresses using a firewall or other access control mechanisms.
ClipBucket version 5.5.2 (Oxygenz company product)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOxygenz Clipbucket
APPOxygenz5.3 – 5.5.2
Related vulnerabilities
TOCTOU Race Condition w ClipBucket umożliwia wykonanie kodu PHP
Blind SQL Injection w ClipBucket v5 — sekcja komentarzy kanału
ClipBucket V5 — nieograniczony upload plików PHP przez funkcję playlist
PHP Deserialization w ClipBucket V5 — zdalne wykonanie kodu
PHP Deserialization w ClipBucket V5 umożliwia zdalne wykonanie kodu