CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1421 – Formula injection in a CSV file in Proget MDM
https://notcve.org/view.php?id=CVE-2025-1421
21 May 2025 — Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). Data provided in a request performed to the server while activating a new device are put in a database. • https://cert.pl/en/posts/2025/05/CVE-2025-1415 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1420 – XSS in Proget MDM
https://notcve.org/view.php?id=CVE-2025-1420
21 May 2025 — Input provided in a field containing "activationMessage" in Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). Input provided in a field containing "activationMessage" in Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 version of Kon... • https://cert.pl/en/posts/2025/05/CVE-2025-1415 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1419 – XSS in Proget MDM
https://notcve.org/view.php?id=CVE-2025-1419
21 May 2025 — Input provided in comment section of Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). Input provided in comment section of Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). • https://cert.pl/en/posts/2025/05/CVE-2025-1415 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1418 – Information disclosure in Proget MDM
https://notcve.org/view.php?id=CVE-2025-1418
21 May 2025 — A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices). This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohi... • https://cert.pl/en/posts/2025/05/CVE-2025-1415 • CWE-863: Incorrect Authorization •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1417 – Information disclosure in Proget MDM
https://notcve.org/view.php?id=CVE-2025-1417
21 May 2025 — In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416. Successful exploitation requires UUID of a targeted backup, which cannot be brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). • https://cert.pl/en/posts/2025/05/CVE-2025-1415 • CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1416 – Password disclosure in Proget MDM
https://notcve.org/view.php?id=CVE-2025-1416
21 May 2025 — In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting CVE-2025-1415 or CVE-2025-1417. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities... • https://cert.pl/en/posts/2025/05/CVE-2025-1415 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1415 – Information disclosure in Proget MDM
https://notcve.org/view.php?id=CVE-2025-1415
21 May 2025 — A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced. This issue has been fixed in 2.17.5 version of Konsola Proget (serve... • https://cert.pl/en/posts/2025/05/CVE-2025-1415 • CWE-863: Incorrect Authorization •