CVE-2025-15560

Name of the Vulnerable Software and Affected Versions WorkTime (affected versions not specified)

Description An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server ''widget'' API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data. The vulnerable API endpoint is ''/widget''.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.