CVE-2020-37106
Unknown Unknown - Not Provided
CSRF in Business Live Chat 1.0 Enables Privilege Escalation

Publication date: 2026-02-07

Last updated on: 2026-02-07

Assigner: VulnCheck

Description
Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-02-07
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37106
EUVD
EUVD-2020-31100
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bdtask business_live_chat_software 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2020-37106 is a Cross-Site Request Forgery (CSRF) vulnerability in Business Live Chat Software version 1.0. It allows attackers to change user account roles without authentication by crafting a malicious HTML form that submits a POST request to the user creation endpoint with parameters that grant administrative access.'}, {'type': 'paragraph', 'content': "Specifically, an attacker can submit a form with parameters like user_id, first name, last name, email, and user_type set to admin, which updates the user's role to administrator without proper authorization checks."}] [2, 3]

Impact Analysis

This vulnerability can allow an attacker to escalate their privileges to an administrator role without proper authentication. This means an attacker could gain full administrative control over the Business Live Chat Software, potentially allowing them to modify settings, access sensitive data, or disrupt service.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/admin/user/users/create` that include parameters attempting to change user roles, such as `user_type` set to "1" for admin.'}, {'type': 'paragraph', 'content': 'You can use network traffic analysis tools or web server logs to identify such requests.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like `grep` on web server logs to find POST requests to the user creation endpoint:'}, {'type': 'list_item', 'content': 'grep "POST /admin/user/users/create" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'grep "user_type=1" /var/log/apache2/access.log'}, {'type': 'paragraph', 'content': 'Additionally, inspecting HTTP traffic with tools like Wireshark or using intrusion detection systems to flag unauthorized privilege escalation attempts can help detect exploitation attempts.'}] [2, 3]

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection mechanisms such as requiring CSRF tokens on sensitive POST requests to prevent unauthorized form submissions.

Restrict access to the user creation endpoint to authorized administrators only and enforce proper authentication and authorization checks on the server side.

If possible, update or patch the Business Live Chat Software to a version that addresses this vulnerability.

As a temporary measure, monitor and block suspicious POST requests that attempt to change user roles.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart