Mateusz Jurczak

**Name of the Vulnerable Software and Affected Versions** PAD CMS (affected versions not specified) **Description** The software improperly initializes a parameter used during the password recovery process. This allows an attacker to change the password for any user who has not utilized the password reset functionality. The issue impacts all three templates: `www`, `bip`, and `www+bip`. The product is End-Of-Life and the producer will not release patches for this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PAD CMS (affected versions not specified) **Description** The software utilizes weak client-side brute-force protection relying on cookies, specifically `login count` and `login timeout`. The attempt count and timeout information are not stored server-side, allowing attackers to bypass the protection by resetting these cookies. This affects all three templates: www, bip, and www+bip. The product is End-Of-Life and will not receive patches for this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.