CVE-2024-50637 is a Cross Site Scripting (XSS) vulnerability identified in UnoPim version 0.1.3 and earlier. The vulnerability resides in the Create User function, where the application improperly handles SVG documents submitted by users. SVG files can contain embedded scripts, and due to insufficient input validation or output encoding, an attacker can inject malicious JavaScript code. When a victim user or administrator views the affected interface, the malicious script executes in their browser context, enabling actions such as cookie theft or session hijacking. The CVSS 3.1 base score of 5.4 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), and a scope change (S:C). The impact affects integrity and availability slightly, but confidentiality is not directly impacted according to the vector. No patches or fixes have been released yet, and no known exploits are reported in the wild. This vulnerability falls under CWE-79, a common web application security weakness related to improper neutralization of input. The vulnerability highlights the risks of accepting SVG content without proper sanitization, as SVGs can embed executable scripts. Organizations using UnoPim 0.1.3 or earlier should be aware of this risk and implement mitigations promptly.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary scripts in the context of authenticated users, leading to theft of cookies or session tokens. This can result in unauthorized access to user accounts or administrative functions, undermining the integrity of the application. Additionally, the vulnerability can cause partial denial of service or manipulation of application data, affecting availability and integrity. Since exploitation requires some level of privileges and user interaction, the risk is somewhat mitigated but still significant in environments where multiple users have access to the Create User function. Organizations relying on UnoPim for product information management or related functions may face operational disruptions, data integrity issues, and potential exposure of sensitive session information. The absence of patches increases the window of exposure, and attackers could develop exploits once details become widely known.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization for all user-supplied content, especially SVG files uploaded or processed by the Create User function. Employing a whitelist approach to allowed SVG elements and attributes can reduce risk. Additionally, output encoding should be enforced to prevent script execution in browsers. Restricting the Create User function to trusted users and minimizing privileges can reduce exploitation likelihood. Implement Content Security Policy (CSP) headers to limit script execution sources and reduce impact if exploitation occurs. Monitoring logs for suspicious activity related to user creation and SVG uploads can help detect attempts. Until official patches are released, consider disabling SVG uploads or the Create User function if feasible. Regularly check for updates from UnoPim and apply patches promptly once available.