Vulnerabilities > CVE-2020-8494 - Unspecified vulnerability in Kronos web Time and Attendance 3.8

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

kronos

NVD

Published: 2020-01-30

Updated: 2021-07-21

Summary

In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H402editUser servlet allows an attacker with Timekeeper, Master Timekeeper, or HR Admin privileges to gain unauthorized administrative privileges within the application via the emp_id, userid, pw1, pw2, supervisor, and timekeeper parameters.

Vulnerable Configurations

Part	Description	Count
Application	Kronos Kronos WEB Time AND Attendance 3.8	1

Packetstorm

data source	https://packetstormsecurity.com/files/download/156215/kronoswebta40-escalate.txt
id	PACKETSTORM:156215
last seen	2020-02-06
published	2020-02-05
reporter	Nolan B. Kennedy
source	https://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html
title	Kronos WebTA 4.0 Privilege Escalation / Cross Site Scripting

Summary

Vulnerable Configurations

Packetstorm

References