{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-8116","assignerOrgId":"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6","state":"PUBLISHED","assignerShortName":"CERT-PL","dateReserved":"2025-07-24T13:38:01.739Z","datePublished":"2025-09-30T10:04:25.946Z","dateUpdated":"2025-09-30T19:13:04.145Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unknown","product":"PAD CMS","vendor":"Polska Akademia Dostępności","versions":[{"lessThanOrEqual":"1.2.1","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Jakub Szweda (CERT.PL)"}],"datePublic":"2025-09-30T09:55:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Malicious attacker can craft special URL, which will result in arbitrary JavaScript execution in victim's browser, when opened. This issue affects all 3 templates: www, bip and www+bip.<br><br>This product is End-Of-Life and producent will not publish patches for this vulnerability. <br>"}],"value":"PAD CMS is vulnerable to Reflected XSS in printing and save to PDF functionality. Malicious attacker can craft special URL, which will result in arbitrary JavaScript execution in victim's browser, when opened. This issue affects all 3 templates: www, bip and www+bip.\n\nThis product is End-Of-Life and producent will not publish patches for this vulnerability."}],"impacts":[{"capecId":"CAPEC-591","descriptions":[{"lang":"en","value":"CAPEC-591 Reflected XSS"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.1,"baseSeverity":"MEDIUM","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6","shortName":"CERT-PL","dateUpdated":"2025-09-30T10:04:25.946Z"},"references":[{"url":"https://cert.pl/posts/2025/09/CVE-2025-7063"}],"source":{"discovery":"INTERNAL"},"tags":["unsupported-when-assigned"],"title":"Reflected XSS in PAD CMS","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-30T19:12:54.368504Z","id":"CVE-2025-8116","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-30T19:13:04.145Z"}}]}}