mJobtime Blind SQL Injection Vulnerability Allowing Remote Code Execution

A blind SQL injection vulnerability has been identified in mJobtime version 15.7.2. This vulnerability allows unauthenticated attackers to execute arbitrary SQL statements by sending a crafted POST request to the /Default.aspx/update_profile_Server endpoint. The SQL injection is classified as blind because it does not return error messages that could be used to exploit the vulnerability directly, but the injection can be exploited using SQL Server features to confirm successful execution.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can execute arbitrary SQL commands on the database. This could lead to unauthorized data access or manipulation. Additionally, according to InfoGuard, this vulnerability could be chained with another identified vulnerability (CVE-2025-51682) to achieve remote code execution.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /Default.aspx/update_profile_Server endpoint with a crafted payload that exploits the SQL injection flaw. After intercepting the response and modifying it, access to the administrative interface can be gained, where the SQL injection can be exploited by executing SQL commands that leverage SQL Server features, such as xp_cmdshell, to execute commands on the server.