Worktime
CVE-2025-15563
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.
AnalysisAI
Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here. [CVSS 5.3 MEDIUM]
Technical ContextAI
Classified as CWE-862 (Missing Authorization). Affects Worktime. Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Unauthenticated OS command injection in NesterSoft WorkTime via report generation API. Allows executing arbitrary comman
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpo
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper enco
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today