UnoPim vulnerable to CSRF on Product edit feature and creation of other types

Root

Cause

The vulnerability is a classic Cross-Site Request Forgery (CSRF) in the UnoPim open-source PIM system built on Laravel. Multiple POST endpoints that perform state-changing actions—such as creating or editing products, categories, category fields, and attributes—do not validate a CSRF token (e.g., the X-XSRF-TOKEN header) [2]. This allows an attacker to forge requests on behalf of an authenticated admin without their consent.

Exploitation

Because the vulnerable endpoints accept application/x-www-form-urlencoded or multipart/form-data content types and the application sets cookies with SameSite=None, an attacker can craft a simple HTML form on a malicious site that, when visited by an authenticated admin, automatically submits a cross-origin request to UnoPim [2]. No preflight or special headers are required, making the attack straightforward to execute. A proof-of-concept using Burp Suite demonstrates changing a product's price by simply opening a crafted HTML page [2].

Impact

A successful CSRF attack allows an attacker to perform any action available on the vulnerable endpoints, such as modifying product prices, editing product details, creating or altering categories, and manipulating other settings—all without the victim admin's knowledge or intent [1][2]. This can lead to data integrity loss and operational disruption.

Mitigation

The vulnerability is fixed in version 0.2.1 of UnoPim [1][2]. Users are strongly advised to upgrade immediately. There is no evidence that this CVE is on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.