Uasoft badaso Token BadasoAuthController.php forgetPassword password recovery_CVE-2025-15398

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Description

A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2025-15398

Source VulDB

Published Dec 31, 2025 at 22:02

Affected Product

Vendor Uasoft

Product badaso

Version 2.9.0

Affected Versions Uasoft badaso 2.9.0
Uasoft badaso 2.9.1
Uasoft badaso 2.9.2
Uasoft badaso 2.9.3
Uasoft badaso 2.9.4
Uasoft badaso 2.9.5
Uasoft badaso 2.9.6
Uasoft badaso 2.9.7

CWE Classification

CWE-640

References

{
    "lastseen": "",
    "description": "A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2025-12-31T22:02:08.542Z",
    "modified": "2025-12-31T22:02:08.542Z",
    "type": "cve",
    "title": "Uasoft badaso Token BadasoAuthController.php forgetPassword password recovery",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.339207\nhttps://vuldb.com/?ctiid.339207\nhttps://vuldb.com/?submit.720129\nhttps://note-hxlab.wetolink.com/share/HG1CWbb7FVnq\nhttps://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span--strong-step-1--trigger-password-reset-for-victim--strong---span-",
    "id": "CVE-2025-15398",
    "bulletinFamily": "",
    "cwe": [
        "CWE-640"
    ],
    "cvelist": null,
    "sourceData": "Uasoft badaso 2.9.0\nUasoft badaso 2.9.1\nUasoft badaso 2.9.2\nUasoft badaso 2.9.3\nUasoft badaso 2.9.4\nUasoft badaso 2.9.5\nUasoft badaso 2.9.6\nUasoft badaso 2.9.7",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "badaso",
    "version": "2.9.0",
    "vendor": "Uasoft",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}