Pad Cms
CVE-2025-8119
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send a POST request changing currently logged user's password to defined by the attacker value. This issue affects all 3 templates: www, bip and www+bip.
This product is End-Of-Life and producent will not publish patches for this vulnerability.
AnalysisAI
PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send a POST request changing currently logged user's password to defined by the attacker value. This product is End-Of-Life and producent will not publish patches for this vulnerability. Affected products include: Widzialni Pad Cms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ
Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remo
PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Rate
PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that d
PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Rated medium severity (CVSS 5.1), this
Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remo
Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remot
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today