UnoPim Mass Product Deletion Vulnerability Due to Broken Access Control

A broken access control vulnerability has been identified in UnoPim versions through 0.3.0. Users without the delete privilege for products can bypass access controls by using the mass-delete endpoint to delete products without authorization. This vulnerability can lead to unauthorized product deletion, causing data loss and potential business disruption.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of products, leading to data loss and possible disruption of business operations.

Reproduction

To reproduce this vulnerability, a user must have a role that does not include the delete privilege for products. Attempting to delete a single product through the standard endpoint will result in an 'unauthorized' response. However, the same user can send a request to the mass-delete endpoint, including one or more product IDs, to delete those products without proper authorization. This vulnerability has been confirmed to exist in other categories with mass-delete endpoints.

Remediation

Users can update to UnoPim version 0.3.1, where this vulnerability has been fixed.