CVE-2020-14982
MEDIUMKronos WebTA 3.8.x-<4.0 - Authenticated Blind SQL Injection via SortBy Parameter
Title source: llmDescription
A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.mindpointgroup.com/articles/
Exploit, Third Party Advisory x_refsource_misc
https://www.mindpointgroup.com/blog/webta-sqli-vulnerability/
Scores
CVSS v3
6.5
EPSS
0.0128
EPSS Percentile
66.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-89
Status
published
Products (1)
kronos/web_time_and_attendance
3.8 - 4.0
Published
Jul 15, 2020
Tracked Since
Feb 18, 2026