time@work 7.0.5: Unsecured Query URL Exposes User Data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

time@work 7.0.5: Unsecured Query URL Exposes User Data

CVE-2025-59920

Summary

A security issue in time@work version 7.0.5 allows unauthorized users to see sensitive information about other users' projects. This can happen if someone copies a link from time@work and opens it in a new browser window. To fix this, update to a patched version of time@work or configure your browser to block links that might try to access sensitive data.

Original title

Original description

When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection. If the request is made with the TWAdmin user with the sysadmin role enabled, exploiting the vulnerability will allow commands to be executed on the system; if the user does not belong to the sysadmin role, they will still be able to query data from the database.

nvd CVSS4.0 8.6

Vulnerability type

CWE-89 SQL Injection

https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-timework-system...

Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026