PT-2026-20389 · Time@Work · Time@Work
Published
2026-02-18
·
Updated
2026-02-18
·
CVE-2025-59920
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
time@work version 7.0.5
Description
The software performs a query to display projects assigned to a user when hours are entered. Copying and opening the query URL in a new browser window reveals that the
IDClient parameter is susceptible to a blind authenticated SQL injection. Exploiting this with a user account possessing the sysadmin role allows for command execution on the system. Even without the sysadmin role, a user can still query data from the database.Recommendations
Apply a fix or update to address the SQL injection issue in the
IDClient parameter. As a temporary workaround, restrict access to the vulnerable query URL.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Time@Work