CVE-2020-8493

MEDIUM

Kronos Web Time & Attendance <4.0 - XSS

Title source: llm

Description

A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) affects 3.8.x and later 3.x versions before 4.0 via multiple input fields (Login Message, Banner Message, and Password Instructions) of the com.threeis.webta.H261configMenu servlet via an authenticated administrator.

Exploits (1)

exploitdb WORKING POC

pythonwebappsjava

https://www.exploit-db.com/exploits/48001

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html

[Exploit, Third Party Advisory] http://www.nolanbkennedy.com/post/stored-xss-in-kronos-web-time-and-attendance-webta

[Product, Vendor Advisory] https://www.kronos.com/products/kronos-webta

Scores

CVSS v3 4.8

EPSS 0.0125

EPSS Percentile 79.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

kronos/web_time_and_attendance 3.8 - 4.0

Published Jan 30, 2020

Tracked Since Feb 18, 2026