CVE-2025-1107 CRITICAL

CVE-2025-1107: Unverified password change vulnerability in Janto

Vendor Impronta
Product Janto
Weakness CWE-620 · Unverified password change
Published February 7, 2025
Last update February 12, 2025

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoint ‘/public/cgi/Gateway.php’.

Key dates

02Disclosure timeline

February 7, 2025 CVE published
February 12, 2025 Record updated