CVE-2025-32352

Name of the Vulnerable Software and Affected Versions ZendTo versions prior to 5.04-7

Description A type confusion vulnerability in lib/NSSAuthenticator.php allows remote attackers to bypass authentication for users with passwords stored as MD5 hashes that can be interpreted as numbers. The solution requires moving from MD5 to bcrypt.

Recommendations For versions prior to 5.04-7, migrate from MD5 to bcrypt to resolve the issue. As a temporary workaround, consider restricting access to the lib/NSSAuthenticator.php file until a patch is available. Avoid using MD5 hashes for password storage in the affected API endpoints until the issue is resolved.