CVE-2020-8494

Published: Jan 30, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H402editUser servlet allows an attacker with Timekeeper, Master Timekeeper, or HR Admin privileges to gain unauthorized administrative privileges within the application via the emp_id, userid, pw1, pw2, supervisor, and timekeeper parameters.

Affected (1)

Products: Kronos: Web Time And Attendance

1 product

Web Time And Attendance

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kronos Web Time And Attendance	From 3.8 to 4.0

References (4)

http://www.nolanbkennedy.com/post/privilege-escalation-2-in-kronos-web-time-and-attendance-webta

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.kronos.com/products/kronos-webta

Source: cve@mitre.org

ProductVendor Advisory

http://www.nolanbkennedy.com/post/privilege-escalation-2-in-kronos-web-time-and-attendance-webta

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.kronos.com/products/kronos-webta

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.