Login Sign Up

CVE-2020-35604

9.8 CRITICAL
XXE

📋 TL;DR

CVE-2020-35604 is an XML External Entity (XXE) vulnerability in Kronos WebTA 5.0.4 when SAML authentication is configured. This allows attackers to read arbitrary files from the server, potentially leading to sensitive data exposure. Organizations using WebTA 5.0.4 with SAML are affected.

💻 Affected Systems

Products:
  • Kronos WebTA
Versions: 5.0.4
Operating Systems: Windows Server (typical deployment)
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when SAML authentication is enabled. Basic authentication deployments are not affected.

📦 What is this software?

Web Time And Attendance by Kronos

View all CVEs affecting Web Time And Attendance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via file disclosure leading to credential theft, lateral movement, and potential ransomware deployment.

🟠

Likely Case

Unauthorized access to sensitive server files including configuration files, credentials, and user data.

🟢

If Mitigated

Limited impact if proper network segmentation and file system permissions are in place.

🌐 Internet-Facing: HIGH - WebTA is typically internet-facing for time and attendance access, making exploitation straightforward.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit if they have network access to the WebTA server.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XXE vulnerabilities are well-understood with readily available exploitation tools. The SAML authentication requirement adds a minor complexity barrier.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.5 or later

Vendor Advisory: https://www.kronos.com/products/kronos-webta

Restart Required: Yes

Instructions:

1. Download WebTA 5.0.5 or later from Kronos support portal. 2. Backup current configuration and database. 3. Run the installer to upgrade. 4. Restart the WebTA service and IIS. 5. Verify SAML functionality.

🔧 Temporary Workarounds

Disable SAML Authentication

windows

Temporarily switch to basic authentication until patching is possible.

Modify WebTA web.config to remove SAML settings and enable basic auth

XML Parser Hardening

all

Configure XML parser to disable external entity processing.

Set XmlResolver property to null in XML parsing code

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WebTA server from sensitive systems
  • Deploy web application firewall (WAF) with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running WebTA 5.0.4 with SAML enabled in authentication settings.

Check Version:

Check WebTA administration panel or examine web.config version tag

Verify Fix Applied:

Verify WebTA version is 5.0.5 or later and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors in IIS logs
  • Multiple failed SAML authentication attempts

Network Indicators:

  • XML payloads with external entity references in HTTP requests
  • Unusual outbound connections from WebTA server

SIEM Query:

source="IIS" AND (message="*XXE*" OR message="*external entity*" OR message="*DOCTYPE*")

📊 Metadata

CVE ID: CVE-2020-35604
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-611
Published: December 21, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35604, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)