CVE-2025-8118
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-11-26
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| widzialni | pad_cms | to 1.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in PAD CMS is due to weak client-side brute-force protection. The system uses two cookies, login_count and login_timeout, to track login attempts and timeout periods, but this information is not stored on the server. Because of this, an attacker can reset these cookies to bypass the brute-force protection mechanism and repeatedly attempt to guess passwords without restriction.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass brute-force protections and potentially gain unauthorized access to user accounts by repeatedly attempting passwords without being blocked or delayed. This can lead to account compromise, unauthorized data access, and potential further exploitation of the system.
What immediate steps should I take to mitigate this vulnerability?
Since PAD CMS is End-Of-Life and no patches will be published, immediate mitigation steps include disabling or restricting access to the affected login functionality, implementing server-side brute-force protections such as rate limiting or IP blocking, and monitoring for suspicious login attempts. Additionally, consider migrating to a supported CMS platform to avoid unpatched vulnerabilities.