CVE-2020-8495
7.5
CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N
Summary
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://www.kronos.com/products/kronos-webta
- http://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta
- http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html
References
- https://www.kronos.com/products/kronos-webta
- http://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta
- http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.