216.73.217.22

CVE-2025-62709

· Published 20/11/2025 17:15 · Modified 25/11/2025 19:04

Labels: CVE-2025-62709 2025-11-20CVE-2025-62709CWE-640[email protected]

Essential information

Published
20/11/2025 17:15
Modified
25/11/2025 19:04
Author
Creator
CVSS
6.8 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS metrics

Description

ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker’s domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim’s password and take over the account. This issue has been patched in version 5.5.2#162.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
oxygenz / clipbucket cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*

References