← back
CVE-2020-8495

CVE-2020-8495

CVSS 7.5 HIGHEPSS 3.1%
In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.
CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N
Affected products
n/a · n/a
public PoCs found2
cve_referencepacketstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48001unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.htmlhttps://www.kronos.com/products/kronos-webtahttp://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta