CVE-2025-15559

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on t...

CVE-2025-15563

Technical details about CVE-2025-15563 are not publicly available in the provided documents. Monitor for updates from vendors and security advisories.

CVE-2025-15562

CVE-2025-15562 is a reflected cross-site scripting vulnerability affecting NesterSoft WorkTime. The issue occurs at the server API endpoint /report/internet/urls, which reflects user-supplied data into the HTML response without proper encoding or filtering. This can allow an attacker to execute a...

CVE-2025-15561 Local Privilege Escalation in NesterSoft WorkTime

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The...

CVE-2025-15561

CVE-2025-15561 concerns the WorkTime monitoring daemon. An attacker can escalate local privileges to NT AUTHORITY\SYSTEM by placing a malicious WTWatch.exe into C:\ProgramData\wta\ClientExe (writable by Everyone); the daemon then executes it with SYSTEM privileges due to its update behavior. Affe...

CVE-2025-15559 Unauthenticated OS Command Injection in NesterSoft WorkTime

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on t...

CVE-2025-15559

Summary: CVE-2025-15559 affects NesterSoft WorkTime. An unauthenticated OS command injection in the server API endpoint used to generate/download the WorkTime client (parameter: “guid”) allows execution of arbitrary commands on the WorkTime server with NT AUTHORITY\SYSTEM privileges, potentially ...

NesterSoft WorkTime 安全漏洞

NesterSoft WorkTime is a project tracking software developed by the Canadian company NesterSoft. NesterSoft WorkTime has a security vulnerability that stems from unauthorized inspections, which may lead to the resetting of database configurations...

NesterSoft WorkTime 安全漏洞

NesterSoft WorkTime is a project tracking software developed by the Canadian company NesterSoft. NesterSoft WorkTime has a security vulnerability, which stems from a flaw in the monitoring of the daemon’s update behavior, potentially leading to an increase in local privileges...

NesterSoft WorkTime 安全漏洞

NesterSoft WorkTime is a project tracking software developed by the Canadian company NesterSoft. NesterSoft WorkTime has a security vulnerability that stems from improper encoding or filtering of data at the internet/urls endpoint, which may lead to cross-site scripting attacks...

NesterSoft WorkTime 安全漏洞

NesterSoft WorkTime is a project tracking software developed by the Canadian company NesterSoft. NesterSoft WorkTime has a security vulnerability, which stems from an SQL injection vulnerability in the widget API endpoint. This vulnerability could lead to data leaks or the execution of arbitrary...

NesterSoft WorkTime 安全漏洞

NesterSoft WorkTime is a project tracking software developed by the Canadian company NesterSoft. NesterSoft WorkTime has a security vulnerability, which stems from an OS command injection vulnerability in the server API endpoint GUID parameter. This vulnerability could allow for the execution of...