VYPR
← All advisories
Low severityNVD Advisory· Published May 21, 2025· Updated Apr 15, 2026

CVE-2025-1420

CVE-2025-1420

Description

Input provided in a field containing "activationMessage" in Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack.

This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Proget's Konsola Proget allows high-privileged users to inject malicious scripts via an unsanitized activationMessage field.

Vulnerability

Overview

The vulnerability resides in the activationMessage field within the Proget server component (Konsola Proget). Input provided in this field is not properly sanitized, enabling a stored cross-site scripting (XSS) attack [1]. The issue affects all versions prior to 2.17.5.

Exploitation

To exploit this vulnerability, an attacker must already hold high-privileged user credentials within the Proget MDM console. The unsanitized input is stored on the server and later rendered in a way that allows arbitrary JavaScript execution when the field is viewed by other users [1]. This means the attack is carried out from within the administrative interface.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the context of other users' sessions, potentially leading to session hijacking, unauthorized actions, or data exfiltration [1]. Because the attack is stored and triggered when the malicious input is rendered, it can affect multiple users without further interaction from the attacker.

Mitigation

The vendor has fixed the issue in version 2.17.5 of the server component. Users are advised to upgrade to this or any later version to remediate the vulnerability [1]. No workarounds have been publicly documented.

References
  1. Multiple vulnerabilities in Proget software

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.