Description
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database contents. Attackers can submit crafted POST requests with SQL payloads using SLEEP functions or RLIKE conditional statements to dump sensitive database information including employee names and credentials.
Published: 2026-05-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a time-based and boolean-based blind SQL injection in the login_userid parameter of login.php, enabling attackers to craft POST requests that use sleep functions or conditional statements to retrieve sensitive data from the database, including employee names and credentials. The flaw permits denial of confidential data and potential compromise of user information. The core weakness is a classic SQL injection attack (CWE-89).

Affected Systems

The affected product is PHP Timeclock version 1.04. No other versions are listed as vulnerable, and the CNA identifies only this single version. Users deploying this version on any web server that processes login requests are at risk.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is considered high severity. Although EPSS scores are not available, the absence of a KEV listing does not diminish the likelihood of exploitation, especially given the commonality of SQL injection. The attack vector is inferred to be a web-based POST request to login.php, requiring no credentials, thus an unauthenticated attacker can trigger the injection remotely even from external networks, provided the web application is reachable.

Generated by OpenCVE AI on May 15, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PHP Timeclock to a version that patches the SQL injection flaw
  • Restrict access to login.php using network controls, such as IP whitelisting or VPNs
  • Enforce strict input validation or use parameterized queries for the login_userid field

Generated by OpenCVE AI on May 15, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database contents. Attackers can submit crafted POST requests with SQL payloads using SLEEP functions or RLIKE conditional statements to dump sensitive database information including employee names and credentials.
Title PHP Timeclock 1.04 SQL Injection via login.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T22:22:09.612Z

Reserved: 2026-05-15T16:36:50.147Z

Link: CVE-2021-47966

cve-icon Vulnrichment

Updated: 2026-05-15T22:12:26.773Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:16:56.293

Modified: 2026-05-15T19:16:56.293

Link: CVE-2021-47966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses