Pad Cms
CVE-2025-8117
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that did not use reset password functionality. This issue affects all 3 templates: www, bip and www+bip.
This product is End-Of-Life and producent will not publish patches for this vulnerability.
AnalysisAI
PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that did not use reset password functionality. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-909. PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that did not use reset password functionality. This product is End-Of-Life and producent will not publish patches for this vulnerability. Affected products include: Widzialni Pad Cms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ
Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remo
PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Rated medium severity (CVSS 5.1),
PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Rate
PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Rated medium severity (CVSS 5.1), this
Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remo
Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remot
Same weakness CWE-909 – Missing Initialization of Resource
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today