Proget MDM Incorrect Authorization Vulnerability Allowing Information Disclosure

An incorrect authorization vulnerability has been identified in Proget Mobile Device Management (MDM) software, all versions prior to 2.17.5. This vulnerability allows low-privileged users to access information about tasks performed on devices managed by Proget MDM. Additionally, users can retrieve details such as the UUIDs of these devices, which are necessary for exploiting another vulnerability, CVE-2025-1416. The issue arises because there is no limit on the number of requests that can be sent to a vulnerable endpoint, enabling attackers to brute force the 'task_id' needed for exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information about tasks and devices, facilitating further exploitation of related vulnerabilities.

Reproduction

To reproduce this vulnerability, a low-privileged user must send requests to the vulnerable endpoint without any restrictions on the number of attempts. By brute forcing low integer 'task_id's, the user can obtain information about tasks executed on managed devices, including UUIDs required for exploiting CVE-2025-1416.

Remediation

Users are advised to update to Proget version 2.17.5 or later.