CVE-2025-55741

22.08.2025, 16:15

UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard endpoint, as expected. However, these users can bypass intended access controls by issuing requests to the mass-delete endpoint, allowing them to delete products without proper authorization. This vulnerability allows unauthorized product deletion, leading to potential data loss and business disruption. The issue is fixed in version 0.3.1. No known workarounds exist.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
GitHub_M	CNA	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://github.com/unopim/unopim/commit/c14eebe653aafd8dc713ca729165177e63315989

https://github.com/unopim/unopim/security/advisories/GHSA-8p2f-fx4q-75cx

https://www.youtube.com/watch?v=J_WV8fCXlJM

https://github.com/unopim/unopim/security/advisories/GHSA-8p2f-fx4q-75cx

https://www.youtube.com/watch?v=J_WV8fCXlJM