Due to client-controlled permission check parameter, PAD CMS's file upload functionality allows an unauthenticated remote attacker to upload files of any type and extension without restriction, which can then be executed leading to Remote Code Execution. This issue affects all 3 templates: www, bip and ww+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.
The permission verification mechanism during file uploads is controlled on the client side, meaning an attacker can modify the parameter responsible for permission verification and bypass all restrictions. As a result, it is possible to upload a file of any extension — including executable scripts — without needing any account in the system. After uploading such a file, the attacker can trigger its execution on the server, gaining remote control over the system (RCE). The problem affects all three system templates: www, bip, and ww+bip.
An unauthenticated attacker can gain full remote control over the server (RCE), including the ability to execute arbitrary commands, steal data, and perform lateral movement within the internal network.
The vendor will not publish patches for this vulnerability due to the End-Of-Life status of the product. It is recommended to immediately disable or isolate PAD CMS instances from the public network and migrate to an actively supported system. As interim measures, consider blocking access to upload functionality at the firewall or web server level and implementing restrictive access controls to directories containing user-uploaded files.
Widzialni PAD CMS — all three templates: www, bip, and ww+bip. The product is marked as End-Of-Life.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XWidzialni Pad Cms
APPWidzialni≤ 1.2.1
Related vulnerabilities
PAD CMS – nieograniczony upload plików prowadzący do RCE
Unrestricted File Upload z RCE w Widzialni PAD CMS (brak uwierzytelnienia)
Improper neutralization of input provided by an authorized user in article positioning functionality allows fo...
PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any u...
Improper neutralization of input provided by an authorized user in article positioning functionality allows fo...