CVE-2025-51683

Name of the Vulnerable Software and Affected Versions mJobtime version 15.7.2

Description A blind SQL Injection (SQLi) issue exists in mJobtime version 15.7.2. An unauthenticated attacker can execute arbitrary SQL statements by sending a specially crafted POST request to the /Default.aspx/update profile Server API endpoint. Exploitation involves submitting a malicious request to this endpoint, potentially allowing unauthorized access to the database. Real-world exploitation has been observed, with attackers leveraging the vulnerability to execute xp cmdshell commands and gain elevated permissions on the backend MSSQL server.

Recommendations Update to a newer version of mJobtime that addresses this SQL injection issue. As a temporary workaround, restrict access to the /Default.aspx/update profile Server endpoint to authorized users only.