Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQL Injection attacks. This issue affects all 3 templates: www, bip and ww+bip.
This product is End-Of-Life and producent will not publish patches for this vulnerability.
AnalysisAI
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQL Injection attacks. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQL Injection attacks. This product is End-Of-Life and producent will not publish patches for this vulnerability. Affected products include: Widzialni Pad Cms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ
Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remo
PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Rated medium severity (CVSS 5.1),
PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Rate
PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that d
PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Rated medium severity (CVSS 5.1), this
Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remo
Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remot
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today