平台
php
组件
business-live-chat-software
修复版本
1.0.1
CVE-2020-37106 describes a cross-site request forgery (CSRF) vulnerability discovered in Business Live Chat Software versions 1.0. This flaw allows an attacker to manipulate user account roles, potentially granting themselves administrative privileges. The vulnerability stems from insufficient authentication checks when modifying user privileges through the user creation endpoint. A fix is available, requiring users to upgrade to a patched version.
The primary impact of CVE-2020-37106 is the unauthorized elevation of user privileges. An attacker can craft a malicious HTML form that, when submitted, triggers a POST request to the user creation endpoint. By including administrative access parameters within this request, the attacker can effectively change a user's role to an administrator, bypassing standard authentication mechanisms. This could lead to complete control over the Business Live Chat Software instance, including access to sensitive data, modification of chat logs, and potentially even compromise of the underlying server. The blast radius extends to all users of the vulnerable software, as any authenticated user could be targeted to have their role changed.
CVE-2020-37106 was published on 2026-02-06. No public proof-of-concept (PoC) code has been identified at the time of writing. The EPSS score is likely low, given the lack of public exploitation and the relatively straightforward nature of CSRF attacks. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Business Live Chat Software version 1.0 are at risk. This includes businesses relying on the software for customer support and communication, particularly those with limited security expertise or those who have not implemented robust web application security controls. Shared hosting environments where multiple users share the same instance of the software are also at increased risk.
• php / server:
grep -r 'user creation endpoint' /var/www/html/• generic web:
curl -I https://your-business-live-chat-software/user_creation_endpoint | grep -i 'content-type: application/x-www-form-urlencoded'漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2020-37106 is to upgrade to a patched version of Business Live Chat Software as soon as it becomes available. In the interim, implement Web Application Firewall (WAF) rules to filter out suspicious POST requests targeting the user creation endpoint. Specifically, look for requests containing administrative access parameters without proper authentication. Additionally, strengthen input validation on the user creation endpoint to prevent malicious data from being processed. Consider implementing CSRF tokens to further protect against this type of attack. After upgrade, confirm the vulnerability is resolved by attempting to modify user roles via a crafted HTML form.
升级到 Business Live Chat 软件的补丁版本。如果尚无补丁版本可用,建议暂时禁用用户创建功能或在用户创建表单中实施 CSRF 防护措施,例如 CSRF token。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2020-37106 is a cross-site request forgery (CSRF) vulnerability in Business Live Chat Software version 1.0, allowing attackers to change user roles without authentication.
If you are using Business Live Chat Software version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Business Live Chat Software. Implement WAF rules and input validation as interim mitigation.
There are currently no reports of CVE-2020-37106 being actively exploited, but the vulnerability remains a potential risk.
Refer to the Business Live Chat Software vendor's website or security advisories for the official advisory regarding CVE-2020-37106.