CRITICAL🇵🇱 Wersja polska

CVE-2025-51682

CVSS 9.8v3.1pub. 2025-12-01upd. 2026-07-05

mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly.

🤖 AI Analysis
How it works

The mJobtime application bases access control on logic executed on the browser side (client-side) instead of enforcing it on the server. An attacker can modify code executed on the client side or independently construct direct HTTP requests to administrative endpoints based on it. This makes it possible to invoke arbitrary administrative functions without having the appropriate permissions. This is a classic case of CWE-602 vulnerability, where the server blindly trusts decisions made on the client side.

Impact

A remote, unauthenticated attacker can gain full access to the application's administrative functions, leading to compromise of confidentiality, integrity, and availability of the time management system.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. The key remedial action is to move authorization logic entirely to the server side, so that no requests to administrative functions are executed without verification of permissions on the backend.

Who is affected

mJobtime version 15.7.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mjobtime

    APP
    Mjobtime
    15.7.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-51683CRITICAL9.8PL ✓ten sam produkt

Blind SQL Injection w mJobtime umożliwiający dostęp bez uwierzytelnienia