CVE-2020-37106
CSRF in Business Live Chat 1.0 Enables Privilege Escalation
Publication date: 2026-02-07
Last updated on: 2026-02-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bdtask | business_live_chat_software | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2020-37106 is a Cross-Site Request Forgery (CSRF) vulnerability in Business Live Chat Software version 1.0. It allows attackers to change user account roles without authentication by crafting a malicious HTML form that submits a POST request to the user creation endpoint with parameters that grant administrative access.'}, {'type': 'paragraph', 'content': "Specifically, an attacker can submit a form with parameters like user_id, first name, last name, email, and user_type set to admin, which updates the user's role to administrator without proper authorization checks."}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to escalate their privileges to an administrator role without proper authentication. This means an attacker could gain full administrative control over the Business Live Chat Software, potentially allowing them to modify settings, access sensitive data, or disrupt service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/admin/user/users/create` that include parameters attempting to change user roles, such as `user_type` set to "1" for admin.'}, {'type': 'paragraph', 'content': 'You can use network traffic analysis tools or web server logs to identify such requests.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like `grep` on web server logs to find POST requests to the user creation endpoint:'}, {'type': 'list_item', 'content': 'grep "POST /admin/user/users/create" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'grep "user_type=1" /var/log/apache2/access.log'}, {'type': 'paragraph', 'content': 'Additionally, inspecting HTTP traffic with tools like Wireshark or using intrusion detection systems to flag unauthorized privilege escalation attempts can help detect exploitation attempts.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing CSRF protection mechanisms such as requiring CSRF tokens on sensitive POST requests to prevent unauthorized form submissions.
Restrict access to the user creation endpoint to authorized administrators only and enforce proper authentication and authorization checks on the server side.
If possible, update or patch the Business Live Chat Software to a version that addresses this vulnerability.
As a temporary measure, monitor and block suspicious POST requests that attempt to change user roles.