UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
• Software Links:
• Affected Versions:
All versions from 9.0.0-RC1 to 14.0.0-RC4.
• Vulnerability Description:
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
Specifically, within the BxBaseMenuSetAclLevel::getCode()
method:
45 public function getCode ($mixedProfileId = 0)
46 {
47 $this->mixedProfileId = $mixedProfileId;
48
49 if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && ($mixedProfileId = bx_get('profile_id', 'post')) && ($iAclLevelId = bx_get('level_id', 'post'))) {
50 $mixedProfileId = urldecode($mixedProfileId);
51 if(!is_numeric($mixedProfileId))
52 $mixedProfileId = unserialize($mixedProfileId);
53
54 echoJson($this->setMembership($mixedProfileId, $iAclLevelId, bx_get('duration', 'post') !== false ? (int)bx_get('duration', 'post') : 0, (int)bx_get('card', 'post') > 0));
55 exit;
56 }
When calling this method, user input passed through the “profile_id” POST parameter is not properly sanitized before being used in a call to the unserialize()
PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code.
• Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2025-32101.php
• Solution:
Upgrade to version 14.0.0-RC5 or later.
• Disclosure Timeline:
[25/03/2025] – Vendor notified
[29/03/2025] – CVE identifier requested
[01/04/2025] – Version 14.0.0-RC5 released
[04/04/2025] – CVE identifier assigned
[07/04/2025] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2025-32101 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.