CVE-2020-37217 Overview
CVE-2020-37217 is a cross-site request forgery [CWE-352] vulnerability in Easy2Pilot 7. The flaw resides in the admin.php?action=add_user endpoint, which fails to validate the origin or authenticity of incoming POST requests. An attacker can craft a malicious HTML page that submits forged user-creation requests when an authenticated administrator visits the page. Successful exploitation creates a new administrative account using attacker-controlled username and password parameters, granting persistent unauthorized access to the application.
Critical Impact
Attackers can create unauthorized administrative accounts in Easy2Pilot 7 by luring an authenticated admin to a malicious page, leading to full application takeover.
Affected Products
- Easy2Pilot 7
- The admin.php user management endpoint
- Deployments without external CSRF protection (proxy, WAF, or reverse-proxy token enforcement)
Discovery Timeline
- 2026-05-13 - CVE-2020-37217 published to NVD
- 2026-05-13 - Last updated in NVD database
Additional context is available in the VulnCheck Advisory on Easy2Pilot and the public proof-of-concept published as Exploit-DB #48099.
Technical Details for CVE-2020-37217
Vulnerability Analysis
The Easy2Pilot 7 administrative interface processes user-creation requests at admin.php?action=add_user without verifying request authenticity. The endpoint accepts a POST body containing username and password parameters and provisions a new account based solely on the session cookie of the requester. Because no anti-CSRF token, Origin header check, or SameSite cookie restriction is enforced, any cross-origin POST submitted while an administrator is authenticated executes with full privileges. The attacker never needs to read the response — account creation is a state-changing side effect that completes silently in the victim's browser.
Root Cause
The root cause is the absence of request authenticity validation on a state-changing endpoint. Easy2Pilot 7 does not issue per-session CSRF tokens, does not verify the Referer or Origin header, and relies entirely on ambient session cookies for authorization. This pattern matches [CWE-352] cross-site request forgery, where the server trusts that any authenticated request reflects the user's intent.
Attack Vector
Exploitation requires the attacker to host a webpage containing an auto-submitting HTML form that targets the vulnerable endpoint. The attacker then lures an authenticated Easy2Pilot administrator to the page through phishing, a forum link, or a cross-site script on a related domain. When the victim's browser loads the page, it automatically submits the form to admin.php?action=add_user with the attacker-supplied username and password fields. The administrator's session cookie is attached automatically, and the server provisions the new account.
No verified exploit code is included in this advisory. The proof-of-concept hosted on Exploit-DB demonstrates the auto-submitting form pattern described above.
Detection Methods for CVE-2020-37217
Indicators of Compromise
- Unexpected user accounts present in the Easy2Pilot administrative user table that do not correspond to documented provisioning activity.
- HTTP access logs containing POST requests to admin.php?action=add_user with a Referer header pointing to an external or untrusted domain.
- Administrative account creation events occurring outside business hours or shortly after an administrator browsed external links.
Detection Strategies
- Audit the Easy2Pilot user table on a recurring schedule and compare entries against an approved-account inventory.
- Inspect web server logs for POST requests to admin.php where the Referer or Origin header is missing, blank, or points to a third-party host.
- Alert on any successful response to action=add_user that lacks a corresponding administrator-initiated session workflow.
Monitoring Recommendations
- Forward Easy2Pilot web server access logs to a centralized log platform and retain them for incident review.
- Correlate new-user-creation events with administrator browsing activity and email gateway phishing alerts.
- Monitor outbound DNS and HTTP egress from administrator workstations for connections to recently registered or low-reputation domains.
How to Mitigate CVE-2020-37217
Immediate Actions Required
- Restrict access to the Easy2Pilot administrative interface to a trusted management network or VPN segment.
- Require administrators to use a dedicated browser profile that is not used for general web browsing or email link handling.
- Review the existing user table and remove any accounts that cannot be tied to an approved provisioning request.
Patch Information
No vendor patch is referenced in the available advisory data. Easy2Pilot 7 operators should consult the Easy2Pilot Homepage and the VulnCheck Advisory on Easy2Pilot for vendor updates. Until a fix is published, compensating controls are required.
Workarounds
- Deploy a reverse proxy or web application firewall in front of Easy2Pilot 7 to enforce Origin and Referer header validation on POST requests to admin.php.
- Configure the session cookie to use SameSite=Strict and Secure attributes at the proxy layer to block cross-site cookie transmission.
- Block direct internet exposure of the administrative interface and require authenticated VPN access for any administrative session.
# Example nginx snippet enforcing Referer validation on the add_user endpoint
location = /admin.php {
if ($request_method = POST) {
set $csrf_block "1";
if ($http_referer ~* "^https?://easy2pilot\.internal/") {
set $csrf_block "0";
}
if ($csrf_block = "1") {
return 403;
}
}
proxy_pass http://easy2pilot_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
