Plattform
php
Komponente
hrsale
Behoben in
1.1.9
CVE-2020-37145 describes a cross-site request forgery (CSRF) vulnerability found in HRSALE versions 1.1.8. This flaw allows attackers to leverage authenticated administrators to create new user accounts with elevated privileges, potentially leading to unauthorized access and control. The vulnerability was publicly disclosed on 2026-02-05. Due to the lack of a fixed version, mitigation strategies focus on preventative measures.
The primary impact of CVE-2020-37145 is the potential for unauthorized administrative account creation. An attacker could craft a malicious HTML page containing hidden form fields that mimic the employee registration form. When a legitimate administrator visits this page while authenticated, their browser will automatically submit the crafted form, creating a new user account with administrative privileges under the attacker's control. This grants the attacker full access to the HRSALE system, enabling them to modify data, configure settings, and potentially compromise the entire application. The blast radius extends to the entire HRSALE deployment, as any administrator account can be exploited to create a backdoor.
There is no indication of active exploitation of CVE-2020-37145 at this time. Public proof-of-concept (POC) code is not readily available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and the lack of public exploitation, the probability of exploitation is considered low to medium.
Organizations utilizing HRSALE version 1.1.8 are at risk. This includes businesses relying on HRSALE for human resource management functions, particularly those with limited security expertise or those who have not implemented robust input validation and CSRF protection measures. Shared hosting environments where HRSALE is installed are also at increased risk due to the potential for cross-tenant vulnerabilities.
• php / web:
curl -I 'http://your-hrsale-site.com/employee_registration.php?username=attacker&password=attacker'• generic web:
grep -i 'attacker' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
Since a fixed version of HRSALE is not available to address CVE-2020-37145, mitigation strategies must focus on preventative measures. Implementing strict input validation on the employee registration form is crucial, ensuring that all data received is properly sanitized and validated before being processed. Furthermore, implementing CSRF tokens on all sensitive forms, including the registration form, will significantly reduce the risk of exploitation. Consider using a Web Application Firewall (WAF) with CSRF protection rules to provide an additional layer of defense. Regularly review user accounts and permissions to identify any suspicious activity.
HRSALE auf eine gepatchte Version aktualisieren, die die CSRF-Schwachstelle behebt. Falls keine Version verfügbar ist, CSRF-Schutzmaßnahmen im Mitarbeiterregistrierungsformular implementieren, wie z. B. CSRF-Token, um die nicht autorisierte Erstellung administrativer Benutzer zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-37145 is a cross-site request forgery vulnerability in HRSALE version 1.1.8, allowing attackers to create unauthorized admin users.
If you are running HRSALE version 1.1.8 and have not implemented CSRF protection, you are potentially affected.
A fixed version is not available. Mitigate by implementing strict input validation and CSRF tokens on sensitive forms.
There is currently no evidence of active exploitation of CVE-2020-37145.
Check the HRSALE website or contact HRSALE support for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.