CVE-2025-8118

Summary

PAD CMS implements weak client-side brute-force protection by utilizing two cookies:  login_count and login_timeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue affects all 3 templates: www, bip and www+bip.

This product is End-Of-Life and producent will not publish patches for this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Polska Akademia DostępnościPAD CMS0 <= 1.2.1affected

Weaknesses

  • CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References