| CVE ID | CVE-2025-1415 |
| Publication date | 21 May 2025 |
| Vendor | Proget |
| Product | Proget |
| Vulnerable versions | All before 2.17.5 |
| Vulnerability type (CWE) | Incorrect Authorization (CWE-863) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-1416 |
| Publication date | 21 May 2025 |
| Vendor | Proget |
| Product | Proget |
| Vulnerable versions | All before 2.17.5 |
| Vulnerability type (CWE) | Incorrect Authorization (CWE-863) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-1417 |
| Publication date | 21 May 2025 |
| Vendor | Proget |
| Product | Proget |
| Vulnerable versions | All before 2.17.5 |
| Vulnerability type (CWE) | Incorrect Authorization (CWE-863) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-1418 |
| Publication date | 21 May 2025 |
| Vendor | Proget |
| Product | Proget |
| Vulnerable versions | All before 2.17.5 |
| Vulnerability type (CWE) | Incorrect Authorization (CWE-863) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-1419 |
| Publication date | 21 May 2025 |
| Vendor | Proget |
| Product | Proget |
| Vulnerable versions | All before 2.17.5 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-1420 |
| Publication date | 21 May 2025 |
| Vendor | Proget |
| Product | Proget |
| Vulnerable versions | All before 2.17.5 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-1421 |
| Publication date | 21 May 2025 |
| Vendor | Proget |
| Product | Proget |
| Vulnerable versions | All before 2.17.5 |
| Vulnerability type (CWE) | Improper Neutralization of Formula Elements in a CSV File (CWE-1236) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in Konsola Proget software (server part of the Proget MDM suite) and participated in coordination of their disclosure.
The vulnerability CVE-2025-1415: A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM, as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416.
In order to perform the attack, one has to know a task_id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task_id might be simply brute forced.
The vulnerability CVE-2025-1416: In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM. For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting CVE-2025-1415 or CVE-2025-1417.
The vulnerability CVE-2025-1417: In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM. This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for exploitation of CVE-2025-1416.
Successful exploitation requires UUID of a targeted backup, which cannot be brute forced.
The vulnerability CVE-2025-1418: A low-privileged user can access information about profiles created in Proget MDM, which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their usage in connected devices).
The vulnerability CVE-2025-1419: Input provided in comment section of Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack.
The vulnerability CVE-2025-1420: Input provided in a field containing activationMessage in Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack.
The vulnerability CVE-2025-1421: Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.
All these issues have been fixed in 2.17.5 version Proget.
Credits
We thank Marcin Węgłowski (AFINE) for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.