CVE-2025-66571 PUBLISHED

UNA CMS 9.0.0-RC1 - 14.0.0-RC4 PHP Object Injection

Assigner: VulnCheck
Reserved: 04.12.2025 Published: 04.12.2025 Updated: 05.12.2025

UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Unknown
Product UNA CMS
Versions Default: unaffected
  • affected from 9.0.0-RC1 to 14.0.0-RC4 (incl.)

Credits

  • Egidio Romano aka EgiX finder

References

Problem Types

  • CWE-502: Deserialization of Untrusted Data CWE