Summary: A PHP Object Injection vulnerability has been detected in UNA CMS versions up to 14.0.0-RC4, specifically in the BxBaseMenuSetAclLevel.php script. The flaw arises from improper sanitization of the “profile_id” POST parameter, which could allow remote attackers to execute arbitrary PHP code. Users are urged to upgrade to version 14.0.0-RC5 or later to mitigate this risk.
Affected: UNA CMS
Keypoints :
- Vulnerability affects versions 9.0.0-RC1 to 14.0.0-RC4.
- Improper sanitization in the BxBaseMenuSetAclLevel::getCode() method allows for remote code execution.
- CVE-2025-32101 has been assigned to this vulnerability, and a fix is available in version 14.0.0-RC5.