CVE-2024-52305 MEDIUM

CVE-2024-52305: UnoPim Stored XSS : Cookie hijacking through Create User function

Vendor Unopim
Product unopim
Weakness CWE-616
Published November 13, 2024
Last update November 13, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies. This vulnerability is fixed in 0.1.5.

Key dates

02Disclosure timeline

November 13, 2024 CVE published
November 13, 2024 Record updated