CVE-2025-15560

High CVSS: 8.8

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.

Vendor

Nestersoft

Product

Worktime

CWE

CWE-89

Yayın Tarihi

2026-02-19 11:15:56

Güncelleme

2026-02-26 02:58:58

Source Identifier

551230f0-3615-47bd-b7cc-93e92e730bbf

KEV Date Added

Kategoriler

CWE-89 Worktime HIGH Nestersoft 2026

Referanslar

https://r.sec-consult.com/worktime

Benzer Kayıtlar

High

CVE-2025-15561

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system…

Medium

CVE-2025-15562

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper enco…

Medium

CVE-2025-15563

Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the…

Critical

CVE-2025-15559

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server…