SQL injection in time@work from systems@work
time@work, version 7.0.5.
INCIBE has coordinated the publication of a high-severity vulnerability affecting time@work from systems@work, a program for allocating hours worked on projects. The vulnerability was discovered by Enrique Fernández Lorenzo (Bighound).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-59920: CVSS v4.0: 8.6 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-89
The vulnerability has been fixed by the systems@work team in version 8.0.4.
CVE-2025-59920: When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2025-59920 | Alta | No | systems@work |
