Remote Code Execution via Unrestricted File Upload in PAD CMS

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3 templates: www, bip and ww+bip.

This product is End-Of-Life and producent will not publish patches for this vulnerability.

Basic Information

ID CVE-2025-8120

Source CERT-PL

Published Sep 30, 2025 at 10:05

Affected Product

Vendor Polska Akademia Dostępności

Product PAD CMS

Affected Versions Polska Akademia Dostępności PAD CMS 0

CWE Classification

CWE-434

References

cert.pl /posts/2025/09/CVE-2025-7063

{
    "lastseen": "",
    "description": "Due to client-controlled permission check parameter, PAD CMS's upload photo functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution.This issue affects all 3 templates: www, bip and ww+bip.\n\nThis product is End-Of-Life and producent will not publish patches for this vulnerability.",
    "published": "2025-09-30T10:05:03.496Z",
    "modified": "2025-09-30T10:05:03.496Z",
    "type": "cve",
    "title": "Remote Code Execution via Unrestricted File Upload in PAD CMS",
    "source": "CERT-PL",
    "references": "https://cert.pl/posts/2025/09/CVE-2025-7063",
    "id": "CVE-2025-8120",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "Polska Akademia Dost\u0119pno\u015bci PAD CMS 0",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PAD CMS",
    "version": "0",
    "vendor": "Polska Akademia Dost\u0119pno\u015bci",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Remote Code Execution via Unrestricted File Upload in PAD CMS_CVE-2025-8120