Sn1P3Rt3S7

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.3.1 Description: UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are susceptible to CSV injection, also known as formula injection, in the Quick Export feature. This allows attackers to inject malicious content into exported CSV files. When opened in spreadsheet applications like Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially leading to the execution of arbitrary code on the victim’s device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Recommendations: Upgrade to version 0.3.1 or later.

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.2.1 Description: UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, contains a stored cross-site scripting vulnerability. The vulnerability is due to an SVG MIME/sanitizer bypass in the `/admin/settings/users/create` endpoint. An attacker can exploit this issue by uploading a specially crafted SVG file with a manipulated MIME type, potentially allowing them to execute arbitrary JavaScript code on behalf of other administrators. The session cookie is marked as http-only, which prevents cookie exfiltration via JavaScript, but does not prevent the attacker from performing actions as the victim. Recommendations: Versions prior to 0.2.1: Check file extensions and whitelist allowed extensions. Versions prior to 0.2.1: Verify that the MIME type matches the file extension. Versions prior to 0.2.1: If the file extension is SVG, ensure proper sanitization is performed.

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.2.1 Description: The image upload functionality during user creation performs only client-side file type validation. An attacker can modify the file extension and content of an uploaded image to execute arbitrary code on the server. This allows for remote code execution (RCE), potentially leading to full system compromise, access to databases and filesystems, and access to other sensitive devices on the network. The vulnerability is exploitable by any user with the ability to change their profile picture within the dashboard. The vulnerable endpoint is `/admin/settings/users/create`. The vulnerable parameter is `image[]`. Recommendations: Versions prior to 0.2.1: Implement server-side extension validation using a whitelist approach, utilizing the `endswith()` check instead of `contains()` to prevent bypasses.

**Name of the Vulnerable Software and Affected Versions:** UnoPim versions prior to 0.2.1 **Description:** UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, is susceptible to Cross-Site Request Forgery (CSRF) attacks. Certain endpoints lack appropriate CSRF protection, allowing an attacker to perform state-changing operations on behalf of an authenticated victim. Specifically, the `/admin/catalog/products/copy/{id}`, `/admin/catalog/products/edit/{id}`, `/admin/catalog/categories/create`, `/admin/catalog/categories/edit/{id}`, `/admin/catalog/category-fields/create`, `/admin/catalog/category-fields/edit/{id}`, `/admin/catalog/attributes/create`, and `/admin/catalog/attributes/edit/{id}` endpoints are vulnerable. The application uses the `X-XSRF-TOKEN` header for some endpoints, but it is missing in others. The vulnerability occurs because the vulnerable POST requests do not require the `X-XSRF-TOKEN` header and use either `application/x-www-form-urlencoded` or `multipart/form-data` content types, combined with cookies being sent due to the `samesite` attribute being set to `None`. **Recommendations:** - Update to version 0.2.1 or later to resolve the issue. - Implement CSRF tokens for all state-changing requests. - Configure the `samesite` attribute to `lax` or `strict` to prevent CSRF attacks. - Ensure all state-changing requests are performed using the POST method instead of GET. If the product copy feature uses GET requests, set `samesite` to `strict`. Otherwise, `samesite: lax` should be sufficient.