Home

Description

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-04 | Updated 2025-12-05 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

Default status
unaffected

9.0.0-RC1 (custom)
affected

Credits

Egidio Romano aka EgiX finder

References

www.exploit-db.com/exploits/52139 (ExploitDB-52139) exploit

unacms.com (UNA CMS Homepage) product

github.com/unacms/una (UNA CMS GitHub Repository) product

karmainsecurity.com/KIS-2025-01 (Karma Security Advisory) vdb-entry

www.vulncheck.com/...s-900-rc1-1400-rc4-php-object-injection third-party-advisory

cve.org (CVE-2025-66571)

nvd.nist.gov (CVE-2025-66571)