CVE-2025-15560 | THREATINT

Description

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.

PUBLISHED Reserved 2026-02-04 | Published 2026-02-19 | Updated 2026-02-23 | Assigner SEC-VLab

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unknown

<= 11.8.8

affected

Credits

Tobias Niemann, SEC Consult Vulnerability Lab finder

Daniel Hirschberger, SEC Consult Vulnerability Lab finder

Thorger Jansen, SEC Consult Vulnerability Lab finder

Marius Renner, SEC Consult Vulnerability Lab finder

References

r.sec-consult.com/worktime third-party-advisory

cve.org (CVE-2025-15560)

nvd.nist.gov (CVE-2025-15560)

Download JSON