CVE-2025-1107: Unverified password change vulnerability in Janto

9.9 CVSS

Description

Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoint ‘/public/cgi/Gateway.php’.

Classification

CVE ID: CVE-2025-1107

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

Affected Products

Vendor: Impronta

Product: Janto

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.87% (scored less or equal to compared to others)

EPSS Date: 2025-03-08 (when was this score calculated)

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janto

Timeline

2025-02-07 12:45:29 UTC
Incibe CERT

Múltiples vulnerabilidades en Janto
2025-02-08 00:34:40 UTC
CVE

Unverified password change vulnerability in Janto