HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
wordt vertaald…Platform
php
Component
hrsale
Opgelost in
1.1.9
CVE-2020-37145 describes a cross-site request forgery (CSRF) vulnerability found in HRSALE versions 1.1.8. This flaw allows attackers to leverage authenticated administrators to create new user accounts with elevated privileges, potentially leading to unauthorized access and control. The vulnerability was publicly disclosed on 2026-02-05. Due to the lack of a fixed version, mitigation strategies focus on preventative measures.
Impact en Aanvalsscenarioswordt vertaald…
The primary impact of CVE-2020-37145 is the potential for unauthorized administrative account creation. An attacker could craft a malicious HTML page containing hidden form fields that mimic the employee registration form. When a legitimate administrator visits this page while authenticated, their browser will automatically submit the crafted form, creating a new user account with administrative privileges under the attacker's control. This grants the attacker full access to the HRSALE system, enabling them to modify data, configure settings, and potentially compromise the entire application. The blast radius extends to the entire HRSALE deployment, as any administrator account can be exploited to create a backdoor.
Uitbuitingscontextwordt vertaald…
There is no indication of active exploitation of CVE-2020-37145 at this time. Public proof-of-concept (POC) code is not readily available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and the lack of public exploitation, the probability of exploitation is considered low to medium.
Wie Loopt Risicowordt vertaald…
Organizations utilizing HRSALE version 1.1.8 are at risk. This includes businesses relying on HRSALE for human resource management functions, particularly those with limited security expertise or those who have not implemented robust input validation and CSRF protection measures. Shared hosting environments where HRSALE is installed are also at increased risk due to the potential for cross-tenant vulnerabilities.
Detectiestappenwordt vertaald…
• php / web:
curl -I 'http://your-hrsale-site.com/employee_registration.php?username=attacker&password=attacker'• generic web:
grep -i 'attacker' /var/log/apache2/access.logAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
Since a fixed version of HRSALE is not available to address CVE-2020-37145, mitigation strategies must focus on preventative measures. Implementing strict input validation on the employee registration form is crucial, ensuring that all data received is properly sanitized and validated before being processed. Furthermore, implementing CSRF tokens on all sensitive forms, including the registration form, will significantly reduce the risk of exploitation. Consider using a Web Application Firewall (WAF) with CSRF protection rules to provide an additional layer of defense. Regularly review user accounts and permissions to identify any suspicious activity.
Hoe te verhelpenwordt vertaald…
Actualizar HRSALE a una versión parcheada que solucione la vulnerabilidad CSRF. Si no hay una versión disponible, implementar medidas de protección CSRF en el formulario de registro de empleados, como tokens CSRF, para evitar la creación no autorizada de usuarios administrativos.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2020-37145 — CSRF in HRSALE 1.1.8?
CVE-2020-37145 is a cross-site request forgery vulnerability in HRSALE version 1.1.8, allowing attackers to create unauthorized admin users.
Am I affected by CVE-2020-37145 in HRSALE 1.1.8?
If you are running HRSALE version 1.1.8 and have not implemented CSRF protection, you are potentially affected.
How do I fix CVE-2020-37145 in HRSALE 1.1.8?
A fixed version is not available. Mitigate by implementing strict input validation and CSRF tokens on sensitive forms.
Is CVE-2020-37145 being actively exploited?
There is currently no evidence of active exploitation of CVE-2020-37145.
Where can I find the official HRSALE advisory for CVE-2020-37145?
Check the HRSALE website or contact HRSALE support for the official advisory.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.