CVE-2025-15398

Summary

A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
Uasoftbadaso2.9.0affected
Uasoftbadaso2.9.1affected
Uasoftbadaso2.9.2affected
Uasoftbadaso2.9.3affected
Uasoftbadaso2.9.4affected
Uasoftbadaso2.9.5affected
Uasoftbadaso2.9.6affected
Uasoftbadaso2.9.7affected

Weaknesses

  • CWE-640: Weak Password Recovery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References