Skip to main content

Axosoft Scrum CVE-2025-11279

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-05 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:31 vuln.today

DescriptionCVE.org

A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 via the Title parameter on the Add Work Item Page allows authenticated users with UI interaction to inject malicious CSV formulas, resulting in low-impact data manipulation. The vulnerability requires user login and deliberate user interaction to exploit, limiting real-world risk despite public exploit availability and vendor non-responsiveness.

Technical ContextAI

The vulnerability exists in the Add Work Item Page component of Axosoft Scrum, specifically in CSV export or import functionality. The Title parameter is processed without sanitization for CSV metacharacters (e.g., '=', '+', '@', '-'), allowing attackers to inject formula expressions that are executed when the CSV is opened in spreadsheet applications like Microsoft Excel. This is a CWE-74 (Improper Neutralization of Special Elements) issue where user-supplied input is not properly escaped before being written to CSV output. The attack vector is network-based, but exploitation requires prior authentication (PR:L per CVSS 4.0 vector) and user interaction (UI:P), significantly constraining the attack surface.

Affected ProductsAI

Axosoft Scrum and Bug Tracking version 22.1.1.11545 is confirmed affected. The description does not specify earlier or later versions, so the exact scope of affected releases is unclear. No CPE identifier was found in the provided references. Interested organizations should contact Axosoft or check their advisory channels for a comprehensive version list.

RemediationAI

No vendor-released patch has been identified at time of analysis, and Axosoft did not respond to early disclosure notification. Immediate remediation options are limited. As a compensating control, restrict access to the Add Work Item Page to trusted users only, and educate users not to open CSV exports in spreadsheet applications without first validating content or disabling automatic formula execution in Excel (via File → Options → Trust Center → Trust Center Settings → Dangerous File Types). Additionally, configure spreadsheet applications organization-wide to not automatically execute formulas from external sources, or use a CSV viewer that does not interpret formulas. Monitor for any security updates from Axosoft and escalate internal requests for patching. If a workaround is available through Axosoft support (e.g., disabling CSV export or sanitizing Title field input), coordinate deployment immediately.

Share

CVE-2025-11279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy