UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability

• Software Links:

• Affected Versions:

All versions from 9.0.0-RC1 to 14.0.0-RC4.

• Vulnerability Description:

The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.

Specifically, within the BxBaseMenuSetAclLevel::getCode() method:

45 public function getCode ($mixedProfileId = 0)
46 {
47   	$this->mixedProfileId = $mixedProfileId;
48
49    if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && ($mixedProfileId = bx_get('profile_id', 'post')) && ($iAclLevelId = bx_get('level_id', 'post'))) {
50        $mixedProfileId = urldecode($mixedProfileId);
51        if(!is_numeric($mixedProfileId))
52            $mixedProfileId = unserialize($mixedProfileId);
53
54        echoJson($this->setMembership($mixedProfileId, $iAclLevelId, bx_get('duration', 'post') !== false ? (int)bx_get('duration', 'post') : 0, (int)bx_get('card', 'post') > 0));
55        exit;
56    }

When calling this method, user input passed through the “profile_id” POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code.

• Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2025-32101.php

• Solution:

Upgrade to version 14.0.0-RC5 or later.

• Disclosure Timeline:

[25/03/2025] – Vendor notified

[29/03/2025] – CVE identifier requested

[01/04/2025] – Version 14.0.0-RC5 released

[04/04/2025] – CVE identifier assigned

[07/04/2025] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2025-32101 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.