cbcvebase.
CVE-2018-7665
published 2018-03-05

CVE-2018-7665: An issue was discovered in ClipBucket before 4.0.0 Release 4902. A malicious file can be uploaded via the name parameter to actions/beats_uploader.php or…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.41%
96.6th percentile
An issue was discovered in ClipBucket before 4.0.0 Release 4902. A malicious file can be uploaded via the name parameter to actions/beats_uploader.php or actions/photo_uploader.php, or the coverPhoto parameter to edit_account.php.

Affected

5 ranges
VendorProductVersion rangeFixed in
clip-bucketclipbucket<= 4.0.0
elfutils_projectelfutils>= 0 < 0.176-1.1ubuntu0.10.176-1.1ubuntu0.1
elfutils_projectelfutils>= 0 < 0.158-0ubuntu5.3+esm10.158-0ubuntu5.3+esm1
elfutils_projectelfutils>= 0 < 0.165-3ubuntu1.2+esm10.165-3ubuntu1.2+esm1
elfutils_projectelfutils>= 0 < 0.170-0.4ubuntu0.1+esm10.170-0.4ubuntu0.1+esm1

Detection & IOCsextracted from sources · hover to see the quote

path/actions/beats_uploader.php
path/actions/photo_uploader.php
path/action/beats_uploader.php
  • Monitor for unauthenticated POST requests to /actions/beats_uploader.php, /actions/photo_uploader.php, or /edit_account.php containing file upload payloads (e.g., PHP webshells) — no valid session cookie is required by the vulnerable endpoint.
  • Alert on file uploads via the `name` parameter to beats_uploader.php or photo_uploader.php, and the `coverPhoto` parameter to edit_account.php, especially where the uploaded file has a script extension (e.g., .php).
  • Flag subsequent HTTP requests to the upload destination path that result in OS command execution, indicating a successfully uploaded webshell being invoked.
  • ·The vulnerability affects ClipBucket versions strictly before 4.0.0 Release 4902; detections should be scoped to environments running unpatched versions of ClipBucket.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.