CVE-2025-11279
BaseFortify
Publication date: 2025-10-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axosoft | scrum_and_bug_tracking | 22.1.1.11545 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11279 is a CSV injection vulnerability in Axosoft Scrum & Bug Tracking version 22.1.1.11545. It occurs because the application does not properly sanitize the Title field when adding work items. An attacker with low privileges can inject malicious payloads into this field. When an administrator exports the work items to a CSV file and opens it in spreadsheet software, the payload executes, potentially allowing remote code execution and giving the attacker control over the administrator's machine. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to severe impacts including arbitrary code execution on an administrator's machine, unauthorized access, data leakage, and manipulation of application behavior. An attacker can gain a reverse shell on the administrator's system by exploiting the CSV injection when exported data is opened in spreadsheet software. This compromises confidentiality, integrity, and availability of the system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring for CSV files generated by Axosoft Scrum & Bug Tracking version 22.1.1.11545 that contain unsanitized input in the Title field, especially entries starting with special characters like '=', '+', '-', or '@' which are typical vectors for CSV injection. Network detection could involve monitoring for unusual outbound connections from administrator machines opening such CSV files, as the exploit can lead to remote code execution and reverse shells. Specific commands are not provided in the resources, but scanning exported CSV files for suspicious payloads in the Title field and monitoring network connections from affected hosts is recommended. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and sanitization on the Title field to escape or remove special characters that can trigger CSV injection (e.g., '=', '+'). Since the vendor has not provided a fix and the product is discontinued for free trial/demo access, it is recommended to consider replacing the affected product. Additionally, restrict user privileges to limit who can add work items, and avoid opening exported CSV files from untrusted sources or in vulnerable spreadsheet software until a fix or replacement is in place. [1, 2]