CVE-2025-55742: 
PHP vulnerability analysis and mitigation

UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, was found to contain a stored cross-site scripting vulnerability (CVE-2025-55742) in versions before 0.2.1. The vulnerability was discovered on August 21, 2025, and affects the /admin/settings/users/create endpoint through SVG MIME/sanitizer bypass (GitHub Advisory).

The vulnerability exists in the Sanitizer trait where the MIME type validation for SVG files could be bypassed. An attacker could manipulate the file content to include malicious SVG code while misleading the sanitizer by including GIF magic bytes. The CVSS v3.1 base score is 8.0 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, low privileges required, and user interaction required (GitHub Advisory).

If exploited, the vulnerability allows attackers to perform actions on behalf of other administrators who view the malicious image. While session cookies are protected by HTTP-only flags preventing direct cookie theft, attackers can still execute arbitrary actions under the victim's context. For example, an attacker could create products or perform other administrative actions as the victim administrator (GitHub Advisory).

The vulnerability was fixed in version 0.2.1 with improved file validation. The fix includes checking file extensions against a whitelist, verifying that the MIME type matches the file extension, and ensuring proper sanitization for SVG files. Three separate commits were made to address the issue: adding validation for file extension and MIME type, implementing FileMimeExtensionMatch rule, and updating user image validation (GitHub Patch, GitHub Patch, GitHub Patch).