プラットフォーム
php
コンポーネント
maian-support-helpdesk
修正版
4.3.1
CVE-2020-37091 describes a cross-site request forgery (XSRF) vulnerability present in Maian Support Helpdesk versions 4.3. This flaw allows attackers to create administrative accounts without authentication and upload arbitrary PHP files via the FAQ attachment system. Affected users should upgrade to a patched version of the software to mitigate this risk.
The primary impact of CVE-2020-37091 is the potential for unauthorized administrative account creation. An attacker could leverage this to gain full control over the Maian Support Helpdesk instance. Furthermore, the unrestricted file upload capability allows attackers to upload malicious PHP files, which could then be executed on the server, leading to remote code execution (RCE). This could result in data breaches, system compromise, and complete control of the affected system. The ability to upload and execute arbitrary code significantly expands the attack surface and increases the potential damage.
Public information regarding active exploitation of CVE-2020-37091 is currently limited. The vulnerability was disclosed on 2026-02-03. There are no known KEV listings or EPSS scores associated with this CVE at this time. Public proof-of-concept exploits are not widely available, but the combination of XSRF and unrestricted file upload presents a significant risk if exploited.
Organizations utilizing Maian Support Helpdesk version 4.3 are at risk. This includes businesses relying on the helpdesk software for customer support and internal communication. Shared hosting environments are particularly vulnerable, as attackers could potentially exploit the vulnerability on multiple instances hosted on the same server.
• php / web:
curl -I <helpdesk_url>/faq.php?attach=<malicious_php_file>• php / web:
grep -r 'admin_user_create' /var/www/html/• generic web: Monitor access logs for unusual POST requests to account creation endpoints. • generic web: Check for newly uploaded PHP files in the FAQ attachment directory.
disclosure
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2020-37091 is to upgrade to a patched version of Maian Support Helpdesk. Since a fixed version is not specified in the provided data, consider implementing temporary workarounds. These may include implementing strict input validation on all user-supplied data, particularly during account creation and file uploads. Additionally, consider enabling CSRF protection mechanisms within the application if possible. Regularly review FAQ attachments for suspicious files. After attempting any workaround, verify the system's security by attempting to create an administrative account via a crafted HTML form and uploading a test PHP file.
4.3 よりも後のバージョンにアップデートして、CSRF 脆弱性を修正してください。特定の修正バージョンが言及されていないため、パッチバージョンの入手または脆弱性を手動で軽減する方法については、ベンダー (Maian Media) にお問い合わせください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2020-37091 is a cross-site request forgery vulnerability in Maian Support Helpdesk 4.3, allowing attackers to create admin accounts and upload malicious files.
If you are running Maian Support Helpdesk version 4.3, you are potentially affected by this vulnerability. Upgrade is recommended.
Upgrade to a patched version of Maian Support Helpdesk. If a patch is unavailable, implement workarounds like input validation and CSRF protection.
Currently, there is no widespread evidence of active exploitation, but the vulnerability's nature poses a significant risk.
Refer to the Maian Support Helpdesk website or security mailing lists for official advisories and updates regarding this vulnerability.