CVE-2020-8495

Published: Jan 30, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.

Affected (1)

Products: Kronos: Web Time And Attendance

1 product

Web Time And Attendance

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Kronos Web Time And Attendance	From 3.8 to 4.0

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (6)

http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html

Source: cve@mitre.org

ExploitThird Party Advisory

http://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.kronos.com/products/kronos-webta

Source: cve@mitre.org

ProductVendor Advisory

http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

http://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.kronos.com/products/kronos-webta

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.