CVE-2025-9977
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| times_software | e-payroll | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because a value provided in one of the POST parameters during login to Times Software E-Payroll is not properly sanitized. This allows an unauthenticated attacker to perform Denial of Service (DoS) attacks. Although SQL injection attacks might be possible, backend filtering mechanisms have so far prevented working exploits. Additionally, attempts at command injection cause the application to return detailed error messages that disclose information about the internal infrastructure.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an unauthenticated attacker to cause Denial of Service (DoS) attacks, potentially disrupting the availability of the Times Software E-Payroll application. Furthermore, the disclosure of internal infrastructure information through error messages could aid attackers in crafting further attacks.