Full Report
CERT Polska has received a report about 7 vulnerabilities (from CVE-2025-1415 to CVE-2025-1421) found in Proget software.
Analysis Summary
This summary consolidates the details for the seven vulnerabilities reported in Proget software, tracked from CVE-2025-1415 through CVE-2025-1421.
***
## Vulnerability Summary: Multiple Flaws in Proget Software (CVE-2025-1415 - CVE-2025-1421)
**Note on Severity:** The provided text **does not include CVSS scores** for any of the listed CVEs. Severity assessment based on technical impact is inferred below.
### CVE Details
| CVE ID | Vulnerability Type (CWE) | Description Focus |
| :-: | :-: | :-: |
| CVE-2025-1415 | Incorrect Authorization (CWE-863) | Information disclosure of device tasks/UUIDs via brute-forceable endpoint. |
| CVE-2025-1416 | Incorrect Authorization (CWE-863) | Low-privileged user retrieves passwords for managed devices. |
| CVE-2025-1417 | Incorrect Authorization (CWE-863) | Low-privileged user accesses sensitive backup data (including device UUIDs). |
| CVE-2025-1418 | Incorrect Authorization (CWE-863) | Low-privileged user accesses information about configuration profiles. |
| CVE-2025-1419 | XSS (CWE-79) | Stored XSS via the comment section (High-privileged user context). |
| CVE-2025-1420 | XSS (CWE-79) | Stored XSS via the `activationMessage` field (High-privileged user context). |
| CVE-2025-1421 | Formula Injection in CSV (CWE-1236) | CSV export containing activation data can lead to Remote Code Execution (RCE) upon opening by high-privileged users. |
### Affected Systems
- **Products:** Proget (server part of the Proget MDM suite, Konsola Proget)
- **Versions:** All versions before **2.17.5**
- **Configurations:** Applies generally to users running vulnerable versions of the Proget application.
### Vulnerability Description
This advisory covers seven vulnerabilities impacting the Proget MDM server console:
1. **Information Disclosure & Credential Theft Chain (CVE-2025-1415 to -1417):** Errors in authorization allow low-privileged users to enumerate device tasks and obtain necessary UUIDs (CVE-2025-1415, CVE-2025-1417), which can then be used to retrieve passwords for managed devices (CVE-2025-1416). CVE-2025-1417 specifically discloses user PII and device UUIDs via accessing backup information.
2. **Profile Information Disclosure (CVE-2025-1418):** Low-privileged users can read details of configuration profiles (though not sensitive data related to device usage).
3. **Stored Cross-Site Scripting (XSS) (CVE-2025-1419 & CVE-2025-1420):** Unsanitized input in the comment section (CVE-2025-1419) and the `activationMessage` field (CVE-2025-1420) allows a high-privileged user to inject and execute malicious scripts.
4. **CSV Formula Injection (CVE-2025-1421):** Data entered during device activation is exported in a CSV file. A high-privileged user opening this file in software like Microsoft Excel can trigger formula execution, potentially leading to Remote Code Execution (RCE) on the user's PC.
### Exploitation
- **Status:** Specific exploitation status (e.g., exploited in the wild) is **Not specified** in the available text.
- **PoC Availability:** Not explicitly stated, but direct paths (like brute-forcing `task_id` for CVE-2025-1415) suggest an accessible attack surface.
- **Complexity:** Varies by CVE. CVE-2025-1415 suggests low complexity due to brute-force possibility. Exploiting CVE-2025-1421 (RCE via CSV) likely requires knowledge of the target’s software setup.
- **Attack Vector:** Ranges from Network (for remote access/information disclosure) to Local/Application context (for XSS and CSV injection).
### Impact
- **Confidentiality:** High (Disclosure of device passwords, UUIDs, user PII from backups).
- **Integrity:** High (Potential for RCE via CSV injection in CVE-2025-1421).
- **Availability:** Low/Medium (Impact primarily on information security, not system downtime).
### Remediation
#### Patches
- The vendor has fixed **all** reported issues in Proget version **2.17.5**.
#### Workarounds
- **No specific workarounds** were detailed in the provided summary, emphasizing immediate patching.
### Detection
- Detection strategies are **not specified**. Security monitoring should focus on:
- Excessive, unauthenticated, or unusual requests targeting API endpoints related to tasks, user profiles, and backups by low-privileged accounts.
- User activity involving CSV exports immediately followed by their opening on workstations.
- Attempts to inject script tags into known input fields (comments, activation messages).
### References
- Vendor Advisories: Not explicitly linked, but the fix is documented in Proget version 2.17.5.
- Relevant Links:
- [https://incydent.cert.pl/#!/lang=en](https://incydent.cert.pl/#!/lang=en)
- [https://cert.pl/en/cvd/](https://cert.pl/en/cvd/)