CVE-2025-8117
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-11-26
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| widzialni | pad_cms | to 1.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-909 | The product does not initialize a critical resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in PAD CMS occurs because the system improperly initializes a parameter used for password recovery. This flaw allows an attacker to change the password for any user who has not used the reset password functionality, affecting all three templates: www, bip, and www+bip.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to change passwords of users without their consent, potentially gaining unauthorized access to user accounts and sensitive information. Since the product is End-Of-Life and no patches will be provided, the risk remains unmitigated.
What immediate steps should I take to mitigate this vulnerability?
Since the product is End-Of-Life and no patches will be published, immediate mitigation steps include discontinuing use of PAD CMS, restricting access to the affected system, and implementing additional security controls such as network segmentation and strong authentication to limit exposure.