CVE-2025-15562

Medium CVSS: 6.1

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.

Vendor

Nestersoft

Product

Worktime

CWE

CWE-79

Yayın Tarihi

2026-02-19 11:15:56

Güncelleme

2026-02-26 02:58:17

Source Identifier

551230f0-3615-47bd-b7cc-93e92e730bbf

KEV Date Added

Kategoriler

CWE-79 Worktime MEDIUM Nestersoft 2026

Referanslar

https://r.sec-consult.com/worktime

Benzer Kayıtlar

High

CVE-2025-15560

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpo…

High

CVE-2025-15561

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system…

Medium

CVE-2025-15563

Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the…

Critical

CVE-2025-15559

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server…