CVE-2025-55741

unopim/unopim allows unauthorized product deletion via mass-delete endpoint

CVSS 8.1 HIGHEPSS 0.4%CWE-284 CWE-862

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

22 ago 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard endpoint, as expected. However, these users can bypass intended access controls by issuing requests to the mass-delete endpoint, allowing them to delete products without proper authorization. This vulnerability allows unauthorized product deletion, leading to potential data loss and business disruption. The issue is fixed in version 0.3.1. No known workarounds exist.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Produtos afetados

unopim · unopim

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/unopim/unopim/commit/c14eebe653aafd8dc713ca729165177e63315989 https://github.com/unopim/unopim/security/advisories/GHSA-8p2f-fx4q-75cx https://www.youtube.com/watch?v=J_WV8fCXlJM