CVE-2025-1419

Vulnerability

Overview

The comment section of Konsola Proget, a component of the Proget MDM suite, fails to properly sanitize user input. This flaw enables a high-privileged user to perform a Stored Cross-Site Scripting (XSS) attack, as described in the official CVE description.

Exploitation

Conditions

The attack requires an authenticated user with high privileges (e.g., an administrator or manager) who can post comments. The injected script is stored on the server and subsequently executed in the browsers of other users who view the affected comments, without requiring additional user interaction. The vulnerability is present in all versions of Proget before 2.17.5 [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the context of the victim's browser. This could lead to session hijacking, data theft, or further compromise of the MDM console, potentially affecting the management of mobile devices across an organization [2].

Mitigation

The vendor has addressed this issue in version 2.17.5 of the server-side component of Konsola Proget. Users are strongly advised to update to this patched version immediately [1]. No workarounds have been published.