UNA CMS Security Flaw: When Your Website’s Safety Goes on a Coffee Break

Attention UNA CMS users: there’s a PHP Object Injection vulnerability lurking in versions up to 14.0.0-RC4. Your website could become a playground for mischievous hackers if they exploit this flaw. So, unless you want your site to become the digital equivalent of a clown car, it’s time to patch things up!

1P
Published: April 8, 2025 6:25 amAdded: April 7, 2025 at 11:52 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

UNA CMS has a vulnerability that makes it about as secure as a screen door on a submarine! Who knew that a little POST parameter could open the floodgates to remote code execution? This is a classic case of “Oops, I did it again” for web security, showing us that even your CMS can have an existential crisis.

Key Points:

  • UNA CMS versions from 9.0.0-RC1 to 14.0.0-RC4 are vulnerable to PHP Object Injection.
  • The vulnerability is located in the BxBaseMenuSetAclLevel.php script.
  • User input via the “profile_id” POST parameter isn’t properly sanitized.
  • Remote attackers can inject arbitrary PHP objects, leading to code execution.
  • The exploit requires no authentication—just like a public park, everyone is welcome!

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?