CVE-2025-15398HIGH 8.1EPSS p37.8%

CVE-2025-15398CVE-2025-15398

Description

A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.8% · 2026-06-18T12:00:27Z
Published2025-12-31
Last modified2026-04-29

Underlying weaknesses· 1

CWE-640

References

  1. https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq
  2. https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span--strong-step-1--trigger-password-reset-for-victim--strong---span-
  3. https://vuldb.com/?ctiid.339207
  4. https://vuldb.com/?id.339207
  5. https://vuldb.com/?submit.720129
  6. https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq
  7. https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span--strong-step-1--trigger-password-reset-for-victim--strong---span-

1

TypeTargetConfidenceTier
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2895
CVE
CVE-2025-13565
CVE
CVE-2025-12288
CVE
CVE-2025-12325
CVE
CVE-2025-48986
CVE
CVE-2026-11515
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.