CVE-2025-55744: UnoPim vulnerable to CSRF on Product edit feature and creation of other types
(updated )
Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF).
| Method | Endpoint | Status | Reason |
|---|---|---|---|
| POST | /admin/catalog/products/create | Not Vulnerable :white_check_mark: | X-XSRF-TOKEN header used |
| GET | /admin/catalog/products/copy/{id} | Vulnerable :x: | Missing X-XSRF-TOKEN header or similar protection |
| POST | /admin/catalog/products/edit/{id} | Vulnerable :x: | Missing X-XSRF-TOKEN header or similar protection |
| POST | /admin/settings/users/create | Not Vulnerable :white_check_mark: | X-XSRF-TOKEN header used |
The below are some of the vulnerable endpoints that allow state changing actions including but not limited to:
/admin/catalog/categories/create
/admin/catalog/categories/edit/{id}
/admin/catalog/category-fields/create
/admin/catalog/category-fields/edit/{id}
/admin/catalog/attributes/create
/admin/catalog/attributes/edit/{id}
References
Code Behaviors & Features
Detect and mitigate CVE-2025-55744 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →