CVE-2025-8118

Medium CVSS: 6.9

PAD CMS implements weak client-side brute-force protection by utilizing two cookies: login_count and login_timeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue affects all 3 templates: www, bip and www+bip.

This product is End-Of-Life and producent will not publish patches for this vulnerability.

Vendor

Widzialni

Product

Pad Cms

CWE

CWE-307

Yayın Tarihi

2025-09-30 11:37:44

Güncelleme

2025-11-26 14:40:13

Source Identifier

cvd@cert.pl

KEV Date Added

Kategoriler

CWE-307 Pad Cms MEDIUM Widzialni 2025

Referanslar

https://cert.pl/posts/2025/09/CVE-2025-7063

Benzer Kayıtlar

High

CVE-2025-8122

Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ…

Medium

CVE-2025-8119

PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Malicious attacker can craft spec…

Critical

CVE-2025-8120

Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remo…

High

CVE-2025-8121

Improper neutralization of input provided by an authorized user in article positioning functionality allows for Blind SQ…

Critical

CVE-2025-7063

Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remot…

Critical

CVE-2025-7065

Due to client-controlled permission check parameter, PAD CMS's photo upload functionality allows an unauthenticated remo…