Vulnerabilities > CVE-2020-8495 - Incorrect Authorization vulnerability in Kronos web Time and Attendance 3.8

047910
CVSS 6.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
kronos
CWE-863
exploit available

Summary

In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.

Vulnerable Configurations

Part Description Count
Application
Kronos
1

Common Weakness Enumeration (CWE)

Exploit-Db

idEDB-ID:48001
last seen2020-02-05
modified2020-02-05
published2020-02-05
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/48001
titleKronos WebTA 4.0 - Authenticated Remote Privilege Escalation

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/156215/kronoswebta40-escalate.txt
idPACKETSTORM:156215
last seen2020-02-06
published2020-02-05
reporterNolan B. Kennedy
sourcehttps://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html
titleKronos WebTA 4.0 Privilege Escalation / Cross Site Scripting