Axosoft Scrum CVE-2025-12249
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 allows authenticated remote attackers to inject malicious CSV formulas via the Title argument on the Edit Ticket Page, potentially enabling formula execution or data exfiltration when exported. Public exploit code exists and the vendor has not responded to disclosure notifications despite early contact.
Technical ContextAI
The vulnerability is a CSV injection (CWE-74) flaw in the ticket editing functionality of Axosoft Scrum. When a user manipulates the Title field on the Edit Ticket Page, unsanitized input is reflected into CSV export outputs without proper encoding or validation. CSV injection occurs when special characters (such as equals signs, plus signs, or at signs) that trigger formula evaluation in spreadsheet applications like Microsoft Excel or LibreOffice Calc are not escaped. This allows attackers to craft payloads that execute formulas, call external data sources, or exfiltrate sensitive information when a victim opens the exported CSV file in a vulnerable spreadsheet application.
Affected ProductsAI
Axosoft Scrum and Bug Tracking version 22.1.1.11545 is confirmed affected. The vulnerability specifically impacts the Edit Ticket Page component. No explicit version range was disclosed by the vendor, and no subsequent versions have been confirmed patched or vulnerable.
RemediationAI
No vendor-released patch is available given the vendor's non-response to disclosure. Organizations using affected versions should implement input validation and output encoding on the Title field to prevent CSV injection: ensure all user-supplied input destined for CSV export is properly escaped by prefixing formula-triggering characters (=, +, -, @) with a single quote or double-quote, or strip these characters entirely if not required for functionality. Alternatively, export CSV files with a data URI scheme or protective prefix that forces safe handling in spreadsheet applications. If the product is business-critical, contact Axosoft directly to request a security update or workaround. As an interim control, restrict access to the Edit Ticket Page to trusted administrators only and educate users not to enable formula recalculation for untrusted CSV files.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today