CVE-2020-8495

HIGH

Kronos Web Time and Attendance <4.0 - Privilege Escalation

Title source: llm

Description

In Kronos Web Time and Attendance (webTA) 3.8.x and later 3.x versions before 4.0, the com.threeis.webta.H491delegate servlet allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application via the delegate, delegateRole, and delegatorUserId parameters.

Exploits (1)

exploitdb WORKING POC

by nxkennedy · pythonwebappsjava

https://www.exploit-db.com/exploits/48001

View Code ZIP pw:eip

References (3)

[Product, Vendor Advisory] https://www.kronos.com/products/kronos-webta

[Exploit, Third Party Advisory] http://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/156215/Kronos-WebTA-4.0-Privilege-Escalation-Cross-Site-Scripting.html

Scores

CVSS v3 7.5

EPSS 0.0497

EPSS Percentile 89.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-862

Status published

Products (1)

kronos/web_time_and_attendance 3.8 - 4.0

Published Jan 30, 2020

Tracked Since Feb 18, 2026