CVE-2020-8493

Name of the Vulnerable Software and Affected Versions Kronos Web Time and Attendance (webTA) versions 3.8.x through 3.x before 4.0

Description A stored XSS issue affects the software via multiple input fields, including Login Message, Banner Message, and Password Instructions, of the com.threeis.webta.H261configMenu servlet. This can be exploited by an authenticated administrator.

Recommendations For versions 3.8.x through 3.x before 4.0, update to version 4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the com.threeis.webta.H261configMenu servlet for authenticated administrators until a patch is available. Avoid using the vulnerable input fields (Login Message, Banner Message, and Password Instructions) in the affected servlet until the issue is resolved.