CVE-2025-59113
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-12-05
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| windu | windu_cms | 4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Windu CMS is due to weak client-side brute-force protection. The system uses a parameter called loginError to track login attempts, but it does not store attempt counts or timeouts on the server side. This allows an attacker to bypass the brute-force protection by resetting the loginError parameter, effectively avoiding detection or lockout.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to perform unlimited brute-force login attempts without being blocked or detected by the system's protection mechanisms. This increases the risk of unauthorized access to user accounts or administrative functions, potentially leading to data breaches or system compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid relying on the client-side brute-force protection mechanism based on the loginError parameter, as it can be bypassed. Implement server-side brute-force protection that tracks attempt counts and enforces timeouts. Additionally, consider applying rate limiting, account lockouts, or CAPTCHA challenges on the server side to prevent automated brute-force attacks.