PT-2025-22353 · Microsoft+1 · Office Excel+1
Marcin Węgłowski
·
Publicado
2025-05-21
·
Atualizado
2025-05-21
·
CVE-2025-1421
CVSS v4.0
2.4
Baixa
| Vetor | AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Konsola Proget (server part of the MDM suite) versions prior to 2.17.5
Description
The issue arises when data provided in a request to the server during new device activation is stored in a database. High-privileged users who download this data as a CSV file and open it in tools like Microsoft Excel may inadvertently corrupt their PC, potentially allowing an attacker to gain remote access to the user's PC.
Recommendations
For versions prior to 2.17.5, update to version 2.17.5 to resolve the issue. As a temporary workaround, consider restricting access to the database and limiting the ability of high-privileged users to download and open potentially malicious CSV files. Avoid using Microsoft Excel or similar tools to open downloaded CSV files from the server until the issue is resolved.
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Konsola Proget
Office Excel