PT-2020-20175 · Kronos · Kronos Web Time/Attendance
Published
2020-01-30
·
Updated
2021-07-21
·
CVE-2020-8495
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Kronos Web Time and Attendance (webTA) versions 3.8.x through 3.x before 4.0
Description
The issue allows an attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application. This is achieved via the
delegate, delegateRole, and delegatorUserId parameters in the com.threeis.webta.H491delegate servlet.Recommendations
For versions 3.8.x through 3.x before 4.0, consider restricting access to the com.threeis.webta.H491delegate servlet until a patch is available. As a temporary workaround, limit the use of the
delegate, delegateRole, and delegatorUserId parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kronos Web Time/Attendance