CVE-2020-37145

Vulnerability

Overview

HRSALE version 1.1.8 contains a cross-site request forgery (CSRF) vulnerability in the employee registration form. The application does not implement sufficient anti-CSRF tokens or other request validation mechanisms, allowing an attacker to craft a malicious HTML page that, when visited by an authenticated administrator, submits a hidden form to add a new user with administrative privileges [1][3].

Exploitation

An attacker can exploit this by hosting a page containing a form that automatically submits to the /admin/employees/add_employee endpoint with pre-filled fields such as username, password, and role. The proof-of-concept demonstrates that the form includes a csrf_hrsale token, but the token is static and can be extracted or reused, rendering it ineffective [1]. The attack requires no authentication on the attacker's part, only that a logged-in administrator visits the malicious page [3].

Impact

Successful exploitation allows an attacker to create a new administrative user account on the HRSALE instance. This account can then be used to access sensitive HR data, modify employee records, or perform other privileged actions, effectively compromising the entire application [1][3].

Mitigation

As of the latest available information, no official patch has been released for this vulnerability. Users are advised to implement additional CSRF protection mechanisms, such as implementing unique, per-request tokens tied to the user session, and to consider using same-site cookie attributes or custom headers to validate requests [3].