CVE-2025-59920
Description
When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated blind SQL injection in time@work time@work 7.0.5 allows attackers with a sysadmin role to execute system commands, or other authenticated users to extract database data.
Vulnerability
Analysis
CVE-2025-59920 is a high-severity blind authenticated SQL injection vulnerability found in time@work version 7.0.5, a project hour allocation system from systems@work [1]. The flaw resides in the IDClient parameter, which is processed when a user enters hours and the application queries the database to display assigned projects. If an attacker copies the query URL and opens it in a new browser window, the IDClient parameter becomes injectable [1].
Exploitation
Scenario
The vulnerability requires authentication to the application, but does not require the attacker to be a system administrator by admin—any authenticated user can exploit the blind SQL injection to query data from the database [1]. However, the impact varies significantly by privilege level. If the attacker uses the TWAdmin user with the sysadmin role enabled, successful exploitation escalates from database access to full operating system command execution [1].
Impact and
Mitigation
The CVSS v4.0 base score is 8.6 (High), with a vector indicating low attack complexity, no special attack requirements, low privileges, and no user interaction needed, with high impacts to both confidentiality and integrity [1]. The vendor has released a fix in version 8.0.4; users of version 7.0.5 are advised to upgrade immediately [1]. No public exploit is known at the time of publication [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 7.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.