Vulnerabilities in PAD CMS software

CERT Polska coordinated disclosure of nine vulnerabilities in PAD CMS (affecting all versions through 1.2.1). The issues include unrestricted file upload flaws enabling remote code execution, blind SQL injection, reflected XSS, CSRF, a password-recovery initialization bug allowing account takeover, and a client-side brute-force bypass; the product is end-of-life and no vendor patches will be published.