CVE-2025-55742
📋 TL;DR
UnoPim versions before 0.2.1 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts via SVG files at the user creation endpoint. This affects all UnoPim instances running vulnerable versions, potentially compromising admin panels and user data. The vulnerability is exploitable by attackers who can access the /admin/settings/users/create endpoint.
💻 Affected Systems
- UnoPim
📦 What is this software?
Unopim by Webkul
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, perform actions as administrators, compromise the entire PIM system, and pivot to internal networks.
Likely Case
Attackers inject malicious JavaScript to steal session tokens, redirect users to phishing sites, or deface the admin interface.
If Mitigated
With proper input validation and output encoding, the impact is limited to failed exploitation attempts with no data compromise.
🎯 Exploit Status
Exploitation requires authenticated access to the vulnerable endpoint and knowledge of SVG MIME bypass techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.1
Vendor Advisory: https://github.com/unopim/unopim/security/advisories/GHSA-xr97-25v7-hc2q
Restart Required: Yes
Instructions:
1. Backup your UnoPim database and files. 2. Update UnoPim to version 0.2.1 via composer: 'composer require unopim/unopim:0.2.1'. 3. Run Laravel migrations if needed: 'php artisan migrate'. 4. Clear caches: 'php artisan cache:clear' and 'php artisan config:clear'. 5. Restart your web server.
🔧 Temporary Workarounds
Disable SVG uploads
allConfigure web server or application to block SVG file uploads at the vulnerable endpoint.
# Add to .htaccess for Apache: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx config: location ~*\.svg$ { deny all; }
Restrict admin access
allImplement IP whitelisting or additional authentication for the /admin/settings/users/create endpoint.
# Laravel middleware example for IP restriction
# Add to app/Http/Middleware/TrustProxies.php or create custom middleware
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to block inline scripts and unsafe eval.
- Deploy a WAF with XSS protection rules to filter malicious SVG payloads.
🔍 How to Verify
Check if Vulnerable:
Check if UnoPim version is below 0.2.1 by examining composer.json or running 'composer show unopim/unopim'.Check Version:
composer show unopim/unopim | grep versionsVerify Fix Applied:
Confirm version is 0.2.1 or higher and test SVG upload functionality at the vulnerable endpoint with malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /admin/settings/users/create with SVG files
- Log entries containing JavaScript or SVG script tags in user creation requests
Network Indicators:
- HTTP requests with SVG files containing script tags or JavaScript code
- Abnormal traffic patterns to admin endpoints
SIEM Query:
source="web_logs" AND (url="/admin/settings/users/create" AND file_extension="svg")🔗 References
- https://github.com/unopim/unopim/commit/49d5f6ac4d5d9ef7d9cdfe01853234d531c55f75
- https://github.com/unopim/unopim/commit/b596021b5a5e0656abe16c01ae0e84c95f9fe902
- https://github.com/unopim/unopim/commit/b5e169e65725e0d80b6c79d57e62a25e1af6a3c3
- https://github.com/unopim/unopim/security/advisories/GHSA-xr97-25v7-hc2q
