CVE-2025-1421: Formula injection in a CSV file in Proget MDM

2.4 CVSS

Description

Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

Classification

CVE ID: CVE-2025-1421

CVSS Base Severity: LOW

CVSS Base Score: 2.4

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem Types

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

Affected Products

Vendor: Proget

Product: Konsola Proget

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.44% (scored less or equal to compared to others)

EPSS Date: 2025-06-03 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1421
https://cert.pl/en/posts/2025/05/CVE-2025-1415
https://proget.pl/en/mobile-device-management/

Timeline

2025-05-21 13:40:12 UTC
CVE

Formula injection in a CSV file in Proget MDM