CVE-2025-11279
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11279
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axosoft scrum_and_bug_tracking 22.1.1.11545
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11279 is a CSV injection vulnerability in Axosoft Scrum & Bug Tracking version 22.1.1.11545. It occurs because the application does not properly sanitize the Title field when adding work items. An attacker with low privileges can inject malicious payloads into this field. When an administrator exports the work items to a CSV file and opens it in spreadsheet software, the payload executes, potentially allowing remote code execution and giving the attacker control over the administrator's machine. [1, 2]

Impact Analysis

This vulnerability can lead to severe impacts including arbitrary code execution on an administrator's machine, unauthorized access, data leakage, and manipulation of application behavior. An attacker can gain a reverse shell on the administrator's system by exploiting the CSV injection when exported data is opened in spreadsheet software. This compromises confidentiality, integrity, and availability of the system. [1, 2]

Detection Guidance

Detection can focus on monitoring for CSV files generated by Axosoft Scrum & Bug Tracking version 22.1.1.11545 that contain unsanitized input in the Title field, especially entries starting with special characters like '=', '+', '-', or '@' which are typical vectors for CSV injection. Network detection could involve monitoring for unusual outbound connections from administrator machines opening such CSV files, as the exploit can lead to remote code execution and reverse shells. Specific commands are not provided in the resources, but scanning exported CSV files for suspicious payloads in the Title field and monitoring network connections from affected hosts is recommended. [1, 2]

Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and sanitization on the Title field to escape or remove special characters that can trigger CSV injection (e.g., '=', '+'). Since the vendor has not provided a fix and the product is discontinued for free trial/demo access, it is recommended to consider replacing the affected product. Additionally, restrict user privileges to limit who can add work items, and avoid opening exported CSV files from untrusted sources or in vulnerable spreadsheet software until a fix or replacement is in place. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart