Multiple vulnerabilities in Kronos Web Time and Attendance (webTA)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-8493 CVE-2020-8494 CVE-2020-8495 |
| CWE-ID | CWE-79 CWE-264 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
Kronos webTA Client/Desktop applications / Other client software |
| Vendor | Kronos Incorporated |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Stored cross-site scripting
EUVDB-ID: #VU24799
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2020-8493
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "Login Message", "Banner Message", or "Password Instructions" field of the "/servlet/com.threeis.webta.H261configMenu" servlet. A remote administrator can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
This vulnerability affects the following versions of Kronos Web Time and Attendance:
- 3.8.x and later
Install update from vendor's website.
Vulnerable software versionsKronos webTA: All versions
CPE2.3 External linkshttps://www.nolanbkennedy.com/post/stored-xss-in-kronos-web-time-and-attendance-webta
https://www.kronos.com/products/kronos-webta
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU24798
Risk: Medium
CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-8494
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists within the "emp_id", "userid", "pw1", "pw2", "supervisor" and "timekeeper" parameters due to the "com.threeis.webta.H402editUser" servlet allows a remote attacker with Timekeeper, Master Timekeeper, or HR Admin privileges to gain unauthorized administrative privileges within the application.
This vulnerability affects the following versions of Kronos Web Time and Attendance:
- 3.8.x and later
Install updates from vendor's website.
Vulnerable software versionsKronos webTA: All versions
CPE2.3 External linkshttps://www.nolanbkennedy.com/post/privilege-escalation-2-in-kronos-web-time-and-attendance-webta
https://www.kronos.com/products/kronos-webta
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU24797
Risk: Medium
CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-8495
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists within the "delegate", "delegateRole" and "delegatorUserId" parameters due to the “com.threeis.webta.H491delegate” servlet allows a remote attacker with Timekeeper or Supervisor privileges to gain unauthorized administrative privileges within the application.
This vulnerability affects the following versions of Kronos Web Time and Attendance:
- 3.8.x and later
Install updates from vendor's website.
Vulnerable software versionsKronos webTA: All versions
CPE2.3 External linkshttps://www.nolanbkennedy.com/post/privilege-escalation-in-kronos-web-time-and-attendance-webta
https://www.kronos.com/products/kronos-webta
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
