Login Sign Up

CVE-2025-8119

4.3 MEDIUM
Authentication Bypass CSRF

📋 TL;DR

PAD CMS has a CSRF vulnerability in its password reset functionality that allows attackers to change logged-in users' passwords without their consent. When victims visit a malicious website, it can automatically send POST requests to reset their passwords to attacker-defined values. This affects all PAD CMS templates (www, bip, www+bip) and the product is end-of-life with no official patches available.

💻 Affected Systems

Products:
  • PAD CMS
Versions: All versions
Operating Systems: Any OS running PAD CMS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all three templates: www, bip, and www+bip. Product is end-of-life with no vendor support.

📦 What is this software?

Pad Cms by Widzialni

View all CVEs affecting Pad Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to administrator accounts, potentially leading to complete system compromise, data theft, or website defacement.

🟠

Likely Case

Attackers reset passwords of logged-in users to gain access to their accounts, potentially stealing sensitive information or performing unauthorized actions.

🟢

If Mitigated

With proper CSRF protections, the attack fails and users maintain control of their accounts with no impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user to be logged in and visit malicious website. No authentication bypass needed beyond user being logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://cert.pl/posts/2025/09/CVE-2025-7063

Restart Required: No

Instructions:

No official patch available as product is end-of-life. Vendor will not release fixes.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection tokens to password reset forms to validate legitimate requests.

Manual code modification required - add CSRF tokens to password reset forms

Use SameSite Cookies

all

Configure session cookies with SameSite=Strict attribute to prevent cross-site requests.

Set session cookie with SameSite=Strict attribute in web server configuration

🧯 If You Can't Patch

  • Deploy web application firewall (WAF) with CSRF protection rules
  • Migrate to supported CMS platform and decommission PAD CMS

🔍 How to Verify

Check if Vulnerable:

Check if password reset forms lack CSRF tokens or if SameSite cookie attributes are not properly configured.

Check Version:

Check PAD CMS version in administration panel or configuration files.

Verify Fix Applied:

Test password reset functionality with CSRF testing tools to ensure requests without valid tokens are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Multiple password reset attempts from same IP
  • Password reset requests without referrer headers
  • Unusual password reset patterns

Network Indicators:

  • POST requests to password reset endpoint without CSRF tokens
  • Requests from unexpected referrers

SIEM Query:

source_ip=* AND url_path="/password-reset" AND http_method="POST" AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2025-8119
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
EPSS Score: 0.03% exploit probability (6.7th percentile)
Published: September 30, 2025
Last Updated: November 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8119, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)