CVE-2020-37106

Vulnerability

Details Business Live Chat Software 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) in the user creation endpoint /admin/user/users/create. The endpoint lacks CSRF protection, allowing an attacker to craft a malicious HTML form that can modify user privileges. The vulnerability is classified under CWE-352 and affects versions up to 1.0 [2][3].

Exploitation

An attacker can exploit this by creating a form that includes parameters such as user_type=1 (admin) and submitting it to the target endpoint. The exploit requires no authentication from the attacker; the form must be submitted by a logged-in user, typically through social engineering. The exploit as published on Exploit-DB demonstrates how to change the role of any user to admin by supplying the user ID and desired role [2]. No CSRF token or additional validation is present, making the attack straightforward [3].

Impact

Successful exploitation allows an attacker to escalate their privileges to administrator, gaining full control over the application. This includes the ability to manage users, chats, and settings. If an admin user is tricked into submitting the form, the attacker can achieve persistent administrative access without any credentials [2][3].

Mitigation

As of the publication date (February 2026), no official patch has been released by the vendor. Mitigations include implementing CSRF tokens for all state-changing requests, adding authentication checks on the server side, and disabling the vulnerable endpoint if not required. Administrators should monitor for any security updates from Bdtask [1].