CVE-2024-54135

🗓️ 06 Dec 2024 15:11:04Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 49 Views🌐 WEB

ClipBucket V5 versions 2.0 to 5.5.1 Revision 199 are vulnerable to PHP Deserialization attack.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2024-54135	6 Dec 202418:07	–	circl
CNNVD	ClipBucket 代码问题漏洞	6 Dec 202400:00	–	cnnvd
Cvelist	CVE-2024-54135 Untrusted Deserialization in ClipBucket-v5 Version 2.0 to 5.5.1 Revision 199	6 Dec 202415:11	–	cvelist
EUVD	EUVD-2024-52306	3 Oct 202520:07	–	euvd
NVD	CVE-2024-54135	6 Dec 202416:15	–	nvd
OSV	CVE-2024-54135 Untrusted Deserialization in ClipBucket-v5 Version 2.0 to 5.5.1 Revision 199	6 Dec 202415:11	–	osv
Positive Technologies	PT-2024-36063	6 Dec 202400:00	–	ptsecurity
RedhatCVE	CVE-2024-54135	5 Feb 202504:03	–	redhatcve
Vulnrichment	CVE-2024-54135 Untrusted Deserialization in ClipBucket-v5 Version 2.0 to 5.5.1 Revision 199	6 Dec 202415:11	–	vulnrichment

NVD

Vulners

Vulnrichment

Node

oxygenz clipbucketRange2.0–5.5.1-200

[
  {
    "vendor": "MacWarrior",
    "product": "clipbucket-v5",
    "versions": [
      {
        "version": ">= 2.0, < 5.5.1 Revision 200",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/MacWarrior/clipbucket-v5/commit/76a829c088f0813ab3244a3bd0036111017409b0
github	www.github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-4523-mqmv-wrqx

Parameter	Position	Path	Description	CWE
collection	query param	upload/photo_upload.php	PHP deserialization vulnerability via unsanitized user input passed to decode_key which calls unserialize, enabling crafted serialized objects to be injected.	CWE-502
photoIDS	request body	upload/photo_upload.php	PHP deserialization vulnerability via unsanitized user input in photoIDS POST parameter that is processed by decode_key and unserialize, enabling gadget chains.	CWE-502

22 Sep 2025 17:58Current

9.3High risk

Vulners AI Score9.3

CVSS 3.18.8 - 9.8

EPSS0.00254

SSVC

CWE-502

cve-2024-54135 php deserialization vulnerability clipbucket v5 versions 2.0 to 5.5.1