Description

When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database.

INFO

Published Date :

2026-02-18T13:41:02.115Z

Last Modified :

2026-02-18T14:06:31.380Z

Source :

INCIBE
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59920 vulnerability.

Vendors Products
Systems At Work
  • Time At Work
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59920.

URL Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-timework-systemswork cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability