Skip to main content

Axosoft Scrum CVE-2025-12249

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:30 vuln.today

DescriptionCVE.org

A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 allows authenticated remote attackers to inject malicious CSV formulas via the Title argument on the Edit Ticket Page, potentially enabling formula execution or data exfiltration when exported. Public exploit code exists and the vendor has not responded to disclosure notifications despite early contact.

Technical ContextAI

The vulnerability is a CSV injection (CWE-74) flaw in the ticket editing functionality of Axosoft Scrum. When a user manipulates the Title field on the Edit Ticket Page, unsanitized input is reflected into CSV export outputs without proper encoding or validation. CSV injection occurs when special characters (such as equals signs, plus signs, or at signs) that trigger formula evaluation in spreadsheet applications like Microsoft Excel or LibreOffice Calc are not escaped. This allows attackers to craft payloads that execute formulas, call external data sources, or exfiltrate sensitive information when a victim opens the exported CSV file in a vulnerable spreadsheet application.

Affected ProductsAI

Axosoft Scrum and Bug Tracking version 22.1.1.11545 is confirmed affected. The vulnerability specifically impacts the Edit Ticket Page component. No explicit version range was disclosed by the vendor, and no subsequent versions have been confirmed patched or vulnerable.

RemediationAI

No vendor-released patch is available given the vendor's non-response to disclosure. Organizations using affected versions should implement input validation and output encoding on the Title field to prevent CSV injection: ensure all user-supplied input destined for CSV export is properly escaped by prefixing formula-triggering characters (=, +, -, @) with a single quote or double-quote, or strip these characters entirely if not required for functionality. Alternatively, export CSV files with a data URI scheme or protective prefix that forces safe handling in spreadsheet applications. If the product is business-critical, contact Axosoft directly to request a security update or workaround. As an interim control, restrict access to the Edit Ticket Page to trusted administrators only and educate users not to enable formula recalculation for untrusted CSV files.

Share

CVE-2025-12249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy