CVE-2025-55742

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.2.1

Description: UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, contains a stored cross-site scripting vulnerability. The vulnerability is due to an SVG MIME/sanitizer bypass in the /admin/settings/users/create endpoint. An attacker can exploit this issue by uploading a specially crafted SVG file with a manipulated MIME type, potentially allowing them to execute arbitrary JavaScript code on behalf of other administrators. The session cookie is marked as http-only, which prevents cookie exfiltration via JavaScript, but does not prevent the attacker from performing actions as the victim.

Recommendations: Versions prior to 0.2.1: Check file extensions and whitelist allowed extensions. Versions prior to 0.2.1: Verify that the MIME type matches the file extension. Versions prior to 0.2.1: If the file extension is SVG, ensure proper sanitization is performed.