Vulnerability Description
UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code.
Related Weaknesses (CWE)
References
- https://github.com/unacms/una
- https://karmainsecurity.com/KIS-2025-01
- https://unacms.com
- https://www.exploit-db.com/exploits/52139
- https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injecti
FAQ
What is CVE-2025-66571?
CVE-2025-66571 is a documented vulnerability. UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper hand...
How severe is CVE-2025-66571?
CVSS scoring is not yet available for CVE-2025-66571. Check NVD for updates.
Is there a patch for CVE-2025-66571?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.