CVE-2020-37106

Name of the Vulnerable Software and Affected Versions Business Live Chat Software version 1.0

Description The software contains a cross-site request forgery condition that permits attackers to alter user account roles without needing to authenticate. An attacker can create a malicious HTML form to modify user privileges by sending a POST request to the user creation endpoint with administrative access parameters. The vulnerable endpoint is the user creation endpoint. The vulnerable parameter is administrative access parameters.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the user creation endpoint.