An unauthenticated SQL injection vulnerability in ClipBucket allows remote attackers to exfiltrate sensitive data from the underlying database.

The actions/progress_video.php endpoint fails to properly sanitize the ids parameter, leading to a blind SQL injection vulnerability. This flaw allows an unauthenticated attacker to inject malicious SQL queries to interact with the database.

The CVSS score of 9.8 reflects the high severity of this vulnerability, as it requires no authentication to execute. Successful exploitation could result in the full exfiltration of user databases, administrative credentials, or proprietary video content, leading to significant data breaches and potential loss of platform integrity.

Immediate Action: Update ClipBucket to version 5.5.3 - #129 or higher to patch the SQL injection vulnerability.

Proactive Monitoring: Monitor database query logs for syntax errors, unexpected UNION operations, or high volumes of suspicious requests targeting the progress_video.php endpoint.

Compensating Controls: Utilize a Web Application Firewall (WAF) to detect and block SQL injection patterns in incoming HTTP requests.

Public Exploit Available: false

Given the unauthenticated nature of this vulnerability, it presents a significant risk to data confidentiality. Organizations running ClipBucket must apply the provided update immediately to prevent unauthorized database access and potential data exfiltration.