CVE-2025-1421 LOW

CVE-2025-1421: Formula injection in a CSV file in Proget MDM

Vendor Proget
Product Proget
Weakness CWE-1236
Published May 21, 2025
Last update May 21, 2025

CVSS base score

2.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

Key dates

02Disclosure timeline

May 21, 2025 CVE published
May 21, 2025 Record updated