QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-59920

Back to search

CVE-2025-59920

Published: Feb 18, 2026

Modified: Feb 18, 2026

PUBLISHED

Description

When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database.

VendorProductVersions

systems at work

time at work

affected
7.0.5

Weaknesses (CWE)

CWE-89

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now