CVE-2025-7063
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-11-26
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| widzialni | pad_cms | to 1.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists because the PAD CMS file upload functionality uses a client-controlled permission check parameter, allowing an unauthenticated remote attacker to upload files of any type and extension without restriction. These uploaded files can then be executed, leading to Remote Code Execution. It affects all three templates: www, bip, and ww+bip.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to upload and execute arbitrary files on the server without authentication, resulting in Remote Code Execution. This can lead to full compromise of the affected system, unauthorized access, data theft, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Since the product is End-Of-Life and no patches will be published, immediate mitigation steps include disabling or restricting the file upload functionality in PAD CMS, implementing network-level controls such as blocking access to the vulnerable endpoints, and monitoring for any suspicious file uploads or executions. Consider isolating the affected system from critical networks to reduce risk.