Plateforme
php
Composant
maian-support-helpdesk
Corrigé dans
4.3.1
CVE-2020-37091 describes a cross-site request forgery (XSRF) vulnerability present in Maian Support Helpdesk versions 4.3. This flaw allows attackers to create administrative accounts without authentication and upload arbitrary PHP files via the FAQ attachment system. Affected users should upgrade to a patched version of the software to mitigate this risk.
The primary impact of CVE-2020-37091 is the potential for unauthorized administrative account creation. An attacker could leverage this to gain full control over the Maian Support Helpdesk instance. Furthermore, the unrestricted file upload capability allows attackers to upload malicious PHP files, which could then be executed on the server, leading to remote code execution (RCE). This could result in data breaches, system compromise, and complete control of the affected system. The ability to upload and execute arbitrary code significantly expands the attack surface and increases the potential damage.
Public information regarding active exploitation of CVE-2020-37091 is currently limited. The vulnerability was disclosed on 2026-02-03. There are no known KEV listings or EPSS scores associated with this CVE at this time. Public proof-of-concept exploits are not widely available, but the combination of XSRF and unrestricted file upload presents a significant risk if exploited.
Organizations utilizing Maian Support Helpdesk version 4.3 are at risk. This includes businesses relying on the helpdesk software for customer support and internal communication. Shared hosting environments are particularly vulnerable, as attackers could potentially exploit the vulnerability on multiple instances hosted on the same server.
• php / web:
curl -I <helpdesk_url>/faq.php?attach=<malicious_php_file>• php / web:
grep -r 'admin_user_create' /var/www/html/• generic web: Monitor access logs for unusual POST requests to account creation endpoints. • generic web: Check for newly uploaded PHP files in the FAQ attachment directory.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 12%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2020-37091 is to upgrade to a patched version of Maian Support Helpdesk. Since a fixed version is not specified in the provided data, consider implementing temporary workarounds. These may include implementing strict input validation on all user-supplied data, particularly during account creation and file uploads. Additionally, consider enabling CSRF protection mechanisms within the application if possible. Regularly review FAQ attachments for suspicious files. After attempting any workaround, verify the system's security by attempting to create an administrative account via a crafted HTML form and uploading a test PHP file.
Mettre à jour vers une version ultérieure à la 4.3 qui corrige la vulnérabilité CSRF. Comme aucune version spécifique n'est mentionnée comme corrigée, il est recommandé de contacter le fournisseur (Maian Media) pour obtenir une version corrigée ou des instructions sur la façon d'atténuer manuellement la vulnérabilité.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2020-37091 is a cross-site request forgery vulnerability in Maian Support Helpdesk 4.3, allowing attackers to create admin accounts and upload malicious files.
If you are running Maian Support Helpdesk version 4.3, you are potentially affected by this vulnerability. Upgrade is recommended.
Upgrade to a patched version of Maian Support Helpdesk. If a patch is unavailable, implement workarounds like input validation and CSRF protection.
Currently, there is no widespread evidence of active exploitation, but the vulnerability's nature poses a significant risk.
Refer to the Maian Support Helpdesk website or security mailing lists for official advisories and updates regarding this vulnerability.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.