Platform
php
Component
maian-support-helpdesk
Fixed in
4.3.1
CVE-2020-37091 describes a cross-site request forgery (XSRF) vulnerability present in Maian Support Helpdesk versions 4.3. This flaw allows attackers to create administrative accounts without authentication and upload arbitrary PHP files via the FAQ attachment system. Affected users should upgrade to a patched version of the software to mitigate this risk.
The primary impact of CVE-2020-37091 is the potential for unauthorized administrative account creation. An attacker could leverage this to gain full control over the Maian Support Helpdesk instance. Furthermore, the unrestricted file upload capability allows attackers to upload malicious PHP files, which could then be executed on the server, leading to remote code execution (RCE). This could result in data breaches, system compromise, and complete control of the affected system. The ability to upload and execute arbitrary code significantly expands the attack surface and increases the potential damage.
Public information regarding active exploitation of CVE-2020-37091 is currently limited. The vulnerability was disclosed on 2026-02-03. There are no known KEV listings or EPSS scores associated with this CVE at this time. Public proof-of-concept exploits are not widely available, but the combination of XSRF and unrestricted file upload presents a significant risk if exploited.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2020-37091 is to upgrade to a patched version of Maian Support Helpdesk. Since a fixed version is not specified in the provided data, consider implementing temporary workarounds. These may include implementing strict input validation on all user-supplied data, particularly during account creation and file uploads. Additionally, consider enabling CSRF protection mechanisms within the application if possible. Regularly review FAQ attachments for suspicious files. After attempting any workaround, verify the system's security by attempting to create an administrative account via a crafted HTML form and uploading a test PHP file.
Update to a version later than 4.3 that fixes the CSRF vulnerability. As no specific version is mentioned as fixed, it is recommended to contact the vendor (Maian Media) for a patched version or instructions on how to manually mitigate the vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-37091 is a cross-site request forgery vulnerability in Maian Support Helpdesk 4.3, allowing attackers to create admin accounts and upload malicious files.
If you are running Maian Support Helpdesk version 4.3, you are potentially affected by this vulnerability. Upgrade is recommended.
Upgrade to a patched version of Maian Support Helpdesk. If a patch is unavailable, implement workarounds like input validation and CSRF protection.
Currently, there is no widespread evidence of active exploitation, but the vulnerability's nature poses a significant risk.
Refer to the Maian Support Helpdesk website or security mailing lists for official advisories and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.