PT-2020-20174 · Kronos · Kronos Web Time/Attendance

Published

2020-01-30

Updated

2021-07-21

CVE-2020-8494

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kronos Web Time and Attendance (webTA) versions 3.8.x through 3.x before 4.0

Description The issue allows an attacker with specific privileges to gain unauthorized administrative privileges within the application. This is achieved through the com.threeis.webta.H402editUser servlet, exploiting parameters such as emp id, userid, pw1, pw2, supervisor, and timekeeper.

Recommendations For versions 3.8.x through 3.x before 4.0, consider disabling the com.threeis.webta.H402editUser servlet until a patch is available to prevent exploitation. Restrict access to the parameters emp id, userid, pw1, pw2, supervisor, and timekeeper to minimize the risk of gaining unauthorized administrative privileges.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2020-8494

Affected Products

Kronos Web Time/Attendance

PT-2020-20174 · Kronos · Kronos Web Time/Attendance

CVE-2020-8494

Related Identifiers

Affected Products

References · 5