CVE-2020-37046 Overview
Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery (CSRF) vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent.
Critical Impact
Unauthorized attackers can create administrative accounts by tricking authenticated administrators into visiting a malicious webpage, potentially leading to complete system compromise.
Affected Products
- Sistem Informasi Pengumuman Kelulusan Online 1.0
Discovery Timeline
- 2026-01-30 - CVE CVE-2020-37046 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37046
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The Sistem Informasi Pengumuman Kelulusan Online application fails to implement proper anti-CSRF protections on its user management functionality. When an authenticated administrator visits a malicious webpage while logged into the application, the attacker can exploit this weakness to perform unauthorized actions on behalf of the administrator.
The vulnerability specifically targets the tambahuser.php endpoint, which handles the creation of new user accounts. Because this endpoint does not validate the origin of requests or require CSRF tokens, an attacker can construct a hidden form on a malicious website that automatically submits a request to create a new administrator account when visited by an authenticated admin.
Root Cause
The root cause of this vulnerability is the absence of CSRF token validation in the tambahuser.php endpoint. The application does not implement any mechanism to verify that requests to add new users originate from legitimate application pages. This allows attackers to forge requests from external domains that will be processed as if they came from the authenticated user.
Attack Vector
The attack leverages a network-based vector requiring user interaction. An attacker creates a malicious webpage containing a hidden HTML form that targets the vulnerable endpoint. The form is pre-populated with attacker-controlled credentials for a new administrative account. When an authenticated administrator visits this malicious page, JavaScript or auto-submit functionality triggers the form submission, sending the forged request to the application using the victim's authenticated session cookies.
The vulnerability is exploitable by crafting a malicious HTML page that automatically submits a form to the tambahuser.php endpoint. The form contains hidden fields specifying the username, password, and privilege level for a new administrator account. When an authenticated administrator visits this page, their browser automatically includes their session cookie with the forged request, allowing the attacker to create an unauthorized admin account. For technical details and proof-of-concept code, refer to the Exploit-DB #48571 advisory.
Detection Methods for CVE-2020-37046
Indicators of Compromise
- Unexpected creation of new administrative user accounts
- Web server access logs showing POST requests to tambahuser.php with external referrer headers
- Multiple admin accounts created in short succession from unusual IP addresses
- User accounts with suspicious usernames or email patterns not following organizational standards
Detection Strategies
- Monitor web server access logs for POST requests to tambahuser.php with Referer headers from external domains
- Implement alerting on new administrator account creation events
- Review audit logs for user management activities performed outside normal business hours
- Deploy web application firewalls (WAF) with CSRF detection capabilities
Monitoring Recommendations
- Enable detailed logging for all user management endpoints
- Configure alerts for administrative account creation events
- Monitor for unusual patterns in user account modifications
- Implement session monitoring to detect potential session abuse
How to Mitigate CVE-2020-37046
Immediate Actions Required
- Restrict access to the administrative interface to trusted IP addresses only
- Implement a web application firewall (WAF) with CSRF protection rules
- Review and audit all existing administrative accounts for unauthorized entries
- Consider disabling the application until patches or workarounds are applied
Patch Information
There is no official patch available from the vendor at this time. Organizations using this application should implement the workarounds below and monitor the VulnCheck CSRF Advisory for updates. For more information about the application, refer to the Adikiss Application Overview.
Workarounds
- Implement custom CSRF token validation in tambahuser.php and all user management endpoints
- Restrict administrative panel access via IP whitelisting at the network or web server level
- Deploy a reverse proxy with CSRF protection capabilities
- Require re-authentication for sensitive administrative actions like user creation
# Apache .htaccess IP restriction example for admin directories
<Directory "/var/www/html/admin">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
