CVE-2025-51682

CVE-2025-51682 is a critical client-side authorization vulnerability (CWE-602) in mJobtime 15.7.2, a time management software. The flaw arises because authorization logic is enforced solely on the client side, allowing attackers to modify client-side code and bypass restrictions to access administrative features. Attackers can also analyze the client-side code to craft direct requests that invoke these administrative functions on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and lack of prerequisites.

Unauthenticated attackers with network access can exploit this vulnerability without user interaction. By tampering with client-side code in their browser or using tools to intercept and modify requests, they gain unauthorized access to administrative capabilities. Direct request forging based on client-side logic enables remote invocation of sensitive server-side functions, potentially compromising confidentiality, integrity, and availability of the system.

Advisories detailing the vulnerability, including potential mitigations, are available from InfoGuard Labs at https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ (covering CVE-2025-51682 and CVE-2025-51683) and the vendor site at http://mjobtime.com. The CVE was published on 2025-12-01.