CVE-2025-55743

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.2.1

Description: The image upload functionality during user creation performs only client-side file type validation. An attacker can modify the file extension and content of an uploaded image to execute arbitrary code on the server. This allows for remote code execution (RCE), potentially leading to full system compromise, access to databases and filesystems, and access to other sensitive devices on the network. The vulnerability is exploitable by any user with the ability to change their profile picture within the dashboard. The vulnerable endpoint is /admin/settings/users/create. The vulnerable parameter is image[].

Recommendations: Versions prior to 0.2.1: Implement server-side extension validation using a whitelist approach, utilizing the endswith() check instead of contains() to prevent bypasses.