CVE-2020-8493

MEDIUM

Kronos Web Time & Attendance <4.0 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-8493.

AI-analyzed exploit summary This exploit demonstrates an authenticated privilege escalation (CVE-2020-8495) and stored XSS (CVE-2020-8493) in Kronos WebTA 3.8.x-4.0. It abuses delegation privileges to elevate a user to admin and injects malicious JavaScript into login/banner pages.

Description

A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) affects 3.8.x and later 3.x versions before 4.0 via multiple input fields (Login Message, Banner Message, and Password Instructions) of the com.threeis.webta.H261configMenu servlet via an authenticated administrator.

Exploits (1)

exploitdb WORKING POC
pythonwebappsjava
https://www.exploit-db.com/exploits/48001

This exploit demonstrates an authenticated privilege escalation (CVE-2020-8495) and stored XSS (CVE-2020-8493) in Kronos WebTA 3.8.x-4.0. It abuses delegation privileges to elevate a user to admin and injects malicious JavaScript into login/banner pages.

Classification
Working Poc 95%
Attack Type
Auth Bypass | Xss | Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Kronos WebTA 3.8.x - 4.0
Auth required
Prerequisites: Valid Timekeeper/Supervisor credentials · Target URL · Admin account existence
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 4.8
EPSS 0.0149
EPSS Percentile 70.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
kronos/web_time_and_attendance 3.8 - 4.0
Published Jan 30, 2020
Tracked Since Feb 18, 2026