Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in Times Software E-Payroll software
18 November 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-9977
Publication date 18 November 2025
Vendor Times Software
Product E-Payroll
Vulnerable versions All through 20250121.0 (and potentially above)
Vulnerability type (CWE) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerability in Times Software E-Payroll software and participated in coordination of its disclosure.

The vulnerability CVE-2025-9977: Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infrastructure. 

Patching status is unknown because the vendor has not replied to messages sent by the CNA.

Credits

We thank Sebastian Jeż for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.