MEDIUMCVE-2020-37145CVSS 4.3

CVE-2020-37145: CSRF in HRSALE 1.1.8

Platform

php

Component

hrsale

Fixed in

1.1.9

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2020-37145 describes a cross-site request forgery (CSRF) vulnerability found in HRSALE versions 1.1.8. This flaw allows attackers to leverage authenticated administrators to create new user accounts with elevated privileges, potentially leading to unauthorized access and control. The vulnerability was publicly disclosed on 2026-02-05. Due to the lack of a fixed version, mitigation strategies focus on preventative measures.

Impact and Attack Scenarios

The primary impact of CVE-2020-37145 is the potential for unauthorized administrative account creation. An attacker could craft a malicious HTML page containing hidden form fields that mimic the employee registration form. When a legitimate administrator visits this page while authenticated, their browser will automatically submit the crafted form, creating a new user account with administrative privileges under the attacker's control. This grants the attacker full access to the HRSALE system, enabling them to modify data, configure settings, and potentially compromise the entire application. The blast radius extends to the entire HRSALE deployment, as any administrator account can be exploited to create a backdoor.

Exploitation Context

There is no indication of active exploitation of CVE-2020-37145 at this time. Public proof-of-concept (POC) code is not readily available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and the lack of public exploitation, the probability of exploitation is considered low to medium.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.01% (0% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componenthrsale

VendorHRSALE

Affected rangeFixed in

1.1.8 – 1.1.81.1.9

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2026-02-03
Published2026-02-05
Modified2026-03-05
EPSS updated2026-03-23

Unpatched — 108 days since disclosure

Mitigation and Workarounds

Since a fixed version of HRSALE is not available to address CVE-2020-37145, mitigation strategies must focus on preventative measures. Implementing strict input validation on the employee registration form is crucial, ensuring that all data received is properly sanitized and validated before being processed. Furthermore, implementing CSRF tokens on all sensitive forms, including the registration form, will significantly reduce the risk of exploitation. Consider using a Web Application Firewall (WAF) with CSRF protection rules to provide an additional layer of defense. Regularly review user accounts and permissions to identify any suspicious activity.

How to fix

Update HRSALE to a patched version that resolves the CSRF vulnerability. If no version is available, implement CSRF protection measures in the employee registration form, such as CSRF tokens, to prevent the unauthorized creation of administrative users.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-37145 — CSRF in HRSALE 1.1.8?

CVE-2020-37145 is a cross-site request forgery vulnerability in HRSALE version 1.1.8, allowing attackers to create unauthorized admin users.

Am I affected by CVE-2020-37145 in HRSALE 1.1.8?

If you are running HRSALE version 1.1.8 and have not implemented CSRF protection, you are potentially affected.

How do I fix CVE-2020-37145 in HRSALE 1.1.8?

A fixed version is not available. Mitigate by implementing strict input validation and CSRF tokens on sensitive forms.

Is CVE-2020-37145 being actively exploited?

There is currently no evidence of active exploitation of CVE-2020-37145.

Where can I find the official HRSALE advisory for CVE-2020-37145?

Check the HRSALE website or contact HRSALE support for the official advisory.