CVE-2025-15398

Name of the Vulnerable Software and Affected Versions Uasoft badaso versions up to 2.9.7

Description A security issue exists in Uasoft badaso up to version 2.9.7 related to weak password recovery. The forgetPassword function within the src/Controllers/BadasoAuthController.php file of the Token Handler component is affected. This manipulation can be executed remotely and is characterized by high complexity, though exploitability is considered difficult. The exploit has been publicly disclosed, and the vendor was notified but did not respond.

Recommendations Versions prior to 2.9.7 should be updated. As a temporary workaround, consider restricting access to the forgetPassword function until a patch is available.