CVE-2025-9977

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-11-18

Last updated on: 2025-11-18

Assigner: CERT.PL

Description

Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infrastructure. Patching status is unknown because the vendor has not replied to messages sent by the CNA.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-11-18

Last Modified

2025-11-18

Generated

2026-06-16

AI Q&A

2025-11-18

EPSS Evaluated

2026-06-15

NVD

CVE-2025-9977

EUVD

EUVD-2025-198043

Affected Vendors & Products

Vendor	Product	Version / Range
times_software	e-payroll	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-209	The product generates an error message that includes sensitive information about its environment, users, or associated data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Attack-Flow Graph

Executive Summary

This vulnerability occurs because a value provided in one of the POST parameters during login to Times Software E-Payroll is not properly sanitized. This allows an unauthenticated attacker to perform Denial of Service (DoS) attacks. Although SQL injection attacks might be possible, backend filtering mechanisms have so far prevented working exploits. Additionally, attempts at command injection cause the application to return detailed error messages that disclose information about the internal infrastructure.

Impact Analysis

The vulnerability can impact you by allowing an unauthenticated attacker to cause Denial of Service (DoS) attacks, potentially disrupting the availability of the Times Software E-Payroll application. Furthermore, the disclosure of internal infrastructure information through error messages could aid attackers in crafting further attacks.

Hi! I’m here to help you understand CVE-2025-9977. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-9977

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart