CVE-2020-37046

Vulnerability

Overview

CVE-2020-37046 describes a cross-site request forgery (CSRF) vulnerability in Sistem Informasi Pengumuman Kelulusan Online 1.0, a graduation announcement web application. The flaw resides in the /admin/tambahuser.php endpoint, which lacks any anti-CSRF token or origin validation. An attacker can craft a malicious HTML form that, when visited by an authenticated administrator, silently submits new admin credentials to the server [1][2].

Exploitation

Details

To exploit CSRF, the attacker must trick a logged-in admin into visiting a crafted page containing the malicious form. The exploit proof-of-concept (PoC) shows a simple HTML form that submits fields for *nama*, *username*, and *pass* to the tambahuser.php endpoint. No authentication is required beyond the victim's active session; the server processes the request as if it were legitimately initiated by the admin [2]. The default admin credentials (username: admin, password: admin) further lower the barrier for initial access [1].

Impact

Successful exploitation allows an attacker to create arbitrary admin accounts with full privileges. Once an attacker-controlled admin account exists, they can view or modify student data, import records, access the message inbox, and potentially alter graduation results. This undermines the application's integrity and can lead to unauthorized data disclosure or manipulation [1][2].

Mitigation

Status

As of the latest reference (2024), the vendor's website still hosts the vulnerable application [3]. No official patch or security update has been released; users are advised to implement server-side CSRF protections, such as synchronizer tokens or SameSite cookies, or to restrict access to the admin panel through IP whitelisting or additional authentication layers [2].