CVE-2025-8117 HIGH

CVE-2025-8117: Account Takeover via Reset Password Functionality in PAD CMS

Vendor Polska Akademia Dostępności
Product PAD CMS
Weakness CWE-909
Published September 30, 2025
Last update September 30, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that did not use reset password functionality. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.

Key dates

02Disclosure timeline

September 30, 2025 CVE published
September 30, 2025 Record updated