PT-2025-22329 · Unknown · Proget Mdm
Marcin Węgłowski
·
Published
2025-05-21
·
Updated
2026-04-22
·
CVE-2025-1415
CVSS v4.0
5.1
Medium
| Vector | AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Proget MDM versions prior to 2.17.5
Description
A low-privileged user can obtain information about tasks executed on devices controlled by Proget MDM, as well as details of the devices like their UUIDs. To perform the attack, an attacker needs to know a
task id, but since it's a low integer and there is no limit of requests an attacker can perform to a vulnerable endpoint, the task id might be simply brute forced.Recommendations
For versions prior to 2.17.5, update to version 2.17.5 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoint to minimize the risk of exploitation. Avoid using the
task id parameter in the affected API endpoint until the issue is resolved.Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Proget Mdm