MSSQL
CVE-2025-15560
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
AnalysisAI
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. [CVSS 8.8 HIGH]
Technical ContextAI
Classified as CWE-89 (SQL Injection). Affects Worktime. An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.
RemediationAI
Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.
The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a
Privilege escalation in SQL Server 2022 and 2025 stems from insufficient authentication controls on critical functions,
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat
Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable cr
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affec
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are af
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeat
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today