CVE-2025-55744

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.2.1

Description: UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, is susceptible to Cross-Site Request Forgery (CSRF) attacks. Certain endpoints lack appropriate CSRF protection, allowing an attacker to perform state-changing operations on behalf of an authenticated victim. Specifically, the /admin/catalog/products/copy/{id}, /admin/catalog/products/edit/{id}, /admin/catalog/categories/create, /admin/catalog/categories/edit/{id}, /admin/catalog/category-fields/create, /admin/catalog/category-fields/edit/{id}, /admin/catalog/attributes/create, and /admin/catalog/attributes/edit/{id} endpoints are vulnerable. The application uses the X-XSRF-TOKEN header for some endpoints, but it is missing in others. The vulnerability occurs because the vulnerable POST requests do not require the X-XSRF-TOKEN header and use either application/x-www-form-urlencoded or multipart/form-data content types, combined with cookies being sent due to the samesite attribute being set to None.