CVE-2020-14982

A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
kronosweb_time_and_attendance
3.8 ≤
𝑥
< 4.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.mindpointgroup.com/articles/
https://www.mindpointgroup.com/blog/webta-sqli-vulnerability/
https://www.mindpointgroup.com/articles/
https://www.mindpointgroup.com/blog/webta-sqli-vulnerability/