6 matches found
CVE-2020-8495
Kronos WebTA 3.8.x and 3.x before 4.0 contains a privilege-escalation vulnerability in the com.threeis.webta.H491delegate servlet. An attacker with Timekeeper or Supervisor privileges can exploit the delegate, delegateRole, and delegatorUserId parameters to gain unauthorized administrative privil...
CVE-2020-8493
CVE-2020-8493 describes a stored XSS vulnerability in Kronos Web Time and Attendance (webTA). The issue affects version 3.8.x and later 3.x before 4.0 via multiple input fields (Login Message, Banner Message, Password Instructions) of the servlet com.threeis.webta.H261configMenu when accessed by ...
CVE-2020-8494
Kronos WebTA (webTA) 3.8.x and 3.x versions prior to 4.0 are affected by CVE-2020-8494 via the com.threeis.webta.H402editUser servlet, allowing a user with Timekeeper, Master Timekeeper, or HR Admin privileges to gain unauthorized administrative privileges through parameters such as emp_id, useri...
CVE-2020-8496
CVE-2020-8496 affects Kronos Web Time and Attendance (webTA). A Stored XSS vulnerability exists in the /ApplicationBanner page triggered by the Application Banner input when the user is an authenticated administrator. The issue affects webTA 4.1.x and later 4.x versions up to, but not including, ...
CVE-2020-14982
CVE-2020-14982 describes a Blind SQL Injection in Kronos WebTA 3.8.x and later until 4.0, affecting the com.threeis.webta.H352premPayRequest servlet’s SortBy parameter. An attacker with the Employee, Supervisor, or Timekeeper role can read sensitive data from the database. The available connected...
CVE-2020-35604
Kronos WebTA 5.0.4 with SAML enabled is affected by an XXE vulnerability. Multiple sources confirm an external-entity injection flaw in the XML processing when SAML is used, enabling a successful XXE attack. The issue is described as enabling access to sensitive information, with high-severity im...