CVE-2013-10040

ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://clipbucket.com/	Product
https://github.com/arslancb/clipbucket	Product
https://packetstorm.news/files/id/123480	Exploit Third Party Advisory
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/clipbucket_upload_exec.rb	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/clipbucket-arbitrary-file-upload-rce	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:clip-bucket:clipbucket:*:*:*:*:*:*:*:*

History

23 Sep 2025, 23:36

Type	Values Removed	Values Added
Summary		(es) La versión 2.6 y anteriores de ClipBucket contienen una vulnerabilidad crítica en el script ofc_upload_image.php, ubicado en /admin_area/charts/ofc-library/. Este endpoint permite a usuarios no autenticados cargar archivos arbitrarios, incluyendo scripts PHP ejecutables. Una vez cargados, el atacante puede acceder al archivo a través de una ruta predecible y activar la ejecución remota de código.
First Time		Clip-bucket Clip-bucket clipbucket
CPE		cpe:2.3:a:clip-bucket:clipbucket::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://clipbucket.com/ -~~	() https://clipbucket.com/ - Product
References	~~() https://github.com/arslancb/clipbucket -~~	() https://github.com/arslancb/clipbucket - Product
References	~~() https://packetstorm.news/files/id/123480 -~~	() https://packetstorm.news/files/id/123480 - Exploit, Third Party Advisory
References	~~() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/clipbucket_upload_exec.rb -~~	() https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/clipbucket_upload_exec.rb - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/clipbucket-arbitrary-file-upload-rce -~~	() https://www.vulncheck.com/advisories/clipbucket-arbitrary-file-upload-rce - Third Party Advisory

31 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-31 15:15

Updated : 2025-09-23 23:36

NVD link : CVE-2013-10040

Mitre link : CVE-2013-10040

CVE.ORG link : CVE-2013-10040

JSON object : View

Products Affected

clip-bucket

clipbucket

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

9.8 /10