The vulnerability is a Boolean‑based blind SQL injection that arises from the application’s failure to properly validate input used in ORDER BY clauses. This flaw allows an attacker to craft queries that return true or false responses, enabling iterative enumeration of database contents and the potential alteration of sensitive data. The injection is not limited to a single endpoint; it spans project and task management, reporting and financial data, socket.io handlers, and resource allocation features. The impact is significant because it can reveal confidential project information, financial records, and real‑time operational data to an adversary.

All installations of Worklenz prior to version 2.1.7 are affected. The issue was present in the client’s backend handling of project and task management controllers, reporting and financial data endpoints, real‑time socket.io handlers, and resource allocation and scheduling features. The vendor released a fix in Worklenz v2.1.7, which addresses all identified injection vectors.

The CVSS score of 8.8 indicates high severity. The EPSS score is below 1 %, signifying a low likelihood of exploitation in the wild, though the vulnerability remains publicly documented and not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via a web interface that accepts ORDER BY parameters. Exploitation would allow attackers to extract or modify data stored in the Worklenz database, potentially leading to a breach of confidentiality, integrity, or availability of project information.