Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Malicious attacker can craft special URL, which will result in arbitrary JavaScript execution in victim's browser, when opened. This issue affects all 3 templates: www, bip and www+bip.
This product is End-Of-Life and producent will not publish patches for this vulnerability.
AnalysisAI
PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Malicious attacker can craft special URL, which will result in arbitrary JavaScript execution in victim's browser, when opened. This product is End-Of-Life and producent will not publish patches for this vulnerability. Affected products include: Widzialni Pad Cms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ
Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remo
PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Rated medium severity (CVSS 5.1),
PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Rate
PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that d
Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remo
Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remot
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today