UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies. This vulnerability is fixed in 0.1.5.
Metrics
Affected Vendors & Products
References
History
Wed, 13 Nov 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Unopim
Unopim unopim |
|
CPEs | cpe:2.3:a:unopim:unopim:*:*:*:*:*:*:*:* | |
Vendors & Products |
Unopim
Unopim unopim |
|
Metrics |
ssvc
|
Wed, 13 Nov 2024 18:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
cvssV3_1
|
Wed, 13 Nov 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies. This vulnerability is fixed in 0.1.5. | |
Title | UnoPim Stored XSS : Cookie hijacking through Create User function | |
Weaknesses | CWE-616 CWE-692 |
|
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-13T15:20:20.679Z
Updated: 2024-11-13T19:25:30.116Z
Reserved: 2024-11-06T19:00:26.397Z
Link: CVE-2024-52305
Vulnrichment
Updated: 2024-11-13T19:24:57.019Z
NVD
Status : Awaiting Analysis
Published: 2024-11-13T16:15:20.473
Modified: 2024-11-13T19:15:08.853
Link: CVE-2024-52305
Redhat
No data.