CVE-2020-37007
Unknown Unknown - Not Provided
Cross-Site Request Forgery in Liman 0.7 Allows Account Takeover

Publication date: 2026-01-29

Last updated on: 2026-02-17

Assigner: VulnCheck

Description
Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-14
NVD
CVE-2020-37007
EUVD
EUVD-2020-30902
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
salihciftci liman 0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-565 The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing attackers to change your user account settings, including your password, without your knowledge or consent. An attacker can trick you into loading a malicious HTML form that automatically submits unauthorized requests to Liman, potentially leading to account takeover or unauthorized modifications to your account information. [1, 2]

Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) in Liman 0.7 that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms that trick logged-in users into submitting unauthorized requests, such as changing passwords or modifying account information, without the users' consent. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the Liman endpoints that manage user account settings, specifically to URLs like http://127.0.0.1:5000/settings/profile and http://127.0.0.1:5000/settings/password. You can use network traffic analysis tools such as tcpdump or Wireshark to capture HTTP POST requests to these endpoints. For example, a command like `tcpdump -i any -A 'tcp port 5000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i POST` can help detect suspicious POST requests. Additionally, reviewing web server logs for unexpected or unauthorized POST requests to these endpoints can help identify exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection mechanisms on the Liman application, such as adding CSRF tokens to all forms that modify user account settings. Until a patch is available, restrict access to the Liman web interface to trusted networks or users only, and educate users to avoid clicking on suspicious links or opening untrusted HTML files while logged into Liman. Additionally, consider using web application firewalls (WAF) to block unauthorized POST requests to the vulnerable endpoints. If possible, update or patch Liman to a version that includes CSRF protections. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37007. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart