Summary of Vulnerabilities in Konsola Proget
On May 21, 2025, Proget published several critical vulnerabilities related to its software, Konsola Proget. All vulnerabilities affect versions before 2.17.5, and they were reported to CERT Polska, which facilitated their disclosure.
Vulnerabilities Overview
Five distinct vulnerabilities were identified and cataloged as follows:
-
CVE-2025-1415: This vulnerability allows low-privileged users to obtain information about tasks executed on devices managed by Proget MDM. They can also access certain device details, such as UUIDs, essential for further exploitation (CVE-2025-1416). The exploitation methodology involves brute-forcing a task_id, which is an integer without concurrency limitations.
-
CVE-2025-1416: A low-privileged user can retrieve passwords for managed devices and gain unauthorized access to restricted functionalities within the MDM. Knowledge of a device’s UUID is necessary, which can be obtained through CVE-2025-1415 or CVE-2025-1417.
-
CVE-2025-1417: Similar to the previous vulnerabilities, this allows a low-privileged user to access information regarding changes in backups for all devices managed by Proget MDM. This information includes user IDs, email addresses, names, and device UUIDs. Successful exploitation requires specific UUIDs that cannot be brute-forced.
-
CVE-2025-1418: Low-privileged users can access information about profiles created in Proget MDM, which detail permitted and restricted functions. However, these profiles do not reveal any confidential information.
-
CVE-2025-1419 and CVE-2025-1420: Both vulnerabilities stem from inadequate sanitization of input fields in Konsola Proget’s commenting section and the activation message respectively. Users with high privileges can conduct stored cross-site scripting (XSS) attacks.
- CVE-2025-1421: This vulnerability occurs when data solicited during the activation of a new device is stored in a database, which high-privileged users can download as a CSV file. Opening this file could potentially corrupt the user’s PC, leading to remote access for attackers.
Mitigation and Recommendations
All identified vulnerabilities have been addressed in the release of Konsola Proget version 2.17.5. Users are strongly urged to upgrade to this version to mitigate the risks involved with the previously vulnerable versions.
Proget and CERT Polska encourage responsible reporting practices for vulnerability disclosures and highlight their cooperative approach in addressing these issues.
This incident serves as a reminder of the importance of rigorous authorization checks, input validation, and sanitization processes in software development.
Conclusion
The vulnerabilities in Konsola Proget exemplify critical security flaws related to user authorization and input handling, which could expose sensitive data and systems to unauthorized users. Proget, through timely updates and coordination with CERT Polska, aims to strengthen the security of its products and protect users from potential exploits.
For further inquiries or insights into the vulnerability disclosure process, visit CERT Polska’s website for additional resources.