CVE-2024-52305

Published: Nov 13, 2024

Modified: Nov 13, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies. This vulnerability is fixed in 0.1.5.

Vendor	Product	Versions
unopim	unopim	affected `< 0.1.5`

Weaknesses (CWE)

CWE-616

CWE-692

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/unopim/unopim/security/advisories/GHSA-cgr4-c233-h733

x_refsource_CONFIRM

https://github.com/unopim/unopim/commit/9a0da7a0892c60f58df2351b5a9498dcb4cb8b7a

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-52305

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References