CVE-2025-1107: Unverified password change vulnerability in Janto
First published: Fri Feb 07 2025(Updated: )
Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoint ‘/public/cgi/Gateway.php’.
Credit: cve-coordination@incibe.es
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Janto | <r12 |
Remedy
With the implemented patches by the Impronta team, the detected vulnerabilities have been fixed. All customers using this product in SaaS mode have been upgraded to version r12 which fixes these issues.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-1107?
CVE-2025-1107 has been classified with a high severity level due to the potential for unauthenticated password changes.
How do I fix CVE-2025-1107?
To fix CVE-2025-1107, upgrade Janto to version r12 or later immediately.
Who is affected by CVE-2025-1107?
CVE-2025-1107 affects all versions of Janto prior to r12.
What type of vulnerability is CVE-2025-1107?
CVE-2025-1107 is an unverified password change vulnerability.
Can CVE-2025-1107 allow attackers to change any user's password?
Yes, CVE-2025-1107 allows an unauthenticated attacker to change another user's password without their current password.
- agent/weakness
- agent/remedy
- agent/title
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/source
- agent/author
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/janto
- canonical/janto