CRITICAL🇵🇱 Wersja polska

CVE-2025-51683

CVSS 9.8v3.1pub. 2025-12-01upd. 2026-07-05

A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint .

🤖 AI Analysis
How it works

An attacker sends a specially crafted HTTP POST request to the endpoint /Default.aspx/update_profile_Server, injecting malicious SQL code fragments into the request parameters. The vulnerability is of a blind SQLi nature — the application does not directly return query results, however the attacker can infer the contents of the database based on the application's behavior (e.g., response time or differences in responses). The absence of any authentication mechanism when accessing the vulnerable endpoint makes the exploit available to any network user.

Impact

An attacker can read, modify, or delete data collected in the application's database, including potentially authentication credentials and employee information. Depending on the database server configuration, it is also possible to escalate the attack to the operating system level.

Mitigation & patch

Patches available from the vendor should be applied according to the references. As immediate remedial measures, it is recommended to restrict network access to the vulnerable endpoint /Default.aspx/update_profile_Server through firewall or WAF rules and to monitor logs for anomalous POST requests.

Who is affected

mJobtime version 15.7.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mjobtime

    APP
    Mjobtime
    15.7.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiAuth Bypass
CWE
References

Related vulnerabilities

CVE-2025-51682CRITICAL9.8PL ✓ten sam produkt

mJobtime: autoryzacja po stronie klienta umożliwia dostęp do funkcji administracyjnych