CVE-2020-8495

HIGH

Kronos Web Time and Attendance <4.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-8495. PoCs published by nxkennedy.

AI-analyzed exploit summary This exploit demonstrates an authenticated privilege escalation vulnerability in Kronos WebTA 3.8.x-4.0 by abusing delegation privileges to elevate a user to admin. It also includes a stored XSS payload for credential theft and exfiltrates sensitive user data (names and SSNs).

Description

In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.

Exploits (1)

exploitdb WORKING POC
by nxkennedy · pythonwebappsjava
https://www.exploit-db.com/exploits/48001

This exploit demonstrates an authenticated privilege escalation vulnerability in Kronos WebTA 3.8.x-4.0 by abusing delegation privileges to elevate a user to admin. It also includes a stored XSS payload for credential theft and exfiltrates sensitive user data (names and SSNs).

Classification
Working Poc 95%
Attack Type
Auth Bypass | Xss | Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Kronos WebTA 3.8.x - 4.0
Auth required
Prerequisites: Valid credentials with Timekeeper or Supervisor privileges · Knowledge of an admin account username
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.5
EPSS 0.0314
EPSS Percentile 86.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-862
Status published
Products (1)
kronos/web_time_and_attendance 3.8 - 4.0
Published Jan 30, 2020
Tracked Since Feb 18, 2026