CVE-2020-14982

MEDIUM

Kronos WebTA 3.8.x-<4.0 - Authenticated Blind SQL Injection via SortBy Parameter

Title source: llm
STIX 2.1

Description

A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.mindpointgroup.com/articles/
Exploit, Third Party Advisory x_refsource_misc
https://www.mindpointgroup.com/blog/webta-sqli-vulnerability/

Scores

CVSS v3 6.5
EPSS 0.0128
EPSS Percentile 66.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-89
Status published
Products (1)
kronos/web_time_and_attendance 3.8 - 4.0
Published Jul 15, 2020
Tracked Since Feb 18, 2026