Primary

Context

TimeClock Software SQL Injection Vulnerability Allowing Username Enumeration

Vulnerability

A time-based SQL injection vulnerability has been identified in TimeClock Software version 1.01. This vulnerability allows authenticated attackers to enumerate valid usernames by manipulating the 'notes' parameter in the add_entry.php endpoint. By injecting conditional time delays, attackers can measure response time differences to determine the existence of usernames.

Impact

Exploitation of this vulnerability could lead to unauthorized enumeration of usernames, potentially allowing for further attacks such as password guessing or phishing.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the add_entry.php endpoint. Inject a payload into the 'notes' parameter that includes a time-based conditional SQL injection. Measure the response time to determine if the username exists.

Added: Jan 29, 2026, 3:37 PM

Updated: Jan 29, 2026, 4:57 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TimeClock Software SQL Injection Vulnerability Allowing Username Enumeration

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating