Meisam Monsef

**Name of the Vulnerable Software and Affected Versions** Business Live Chat Software version 1.0 **Description** The software contains a cross-site request forgery condition that permits attackers to alter user account roles without needing to authenticate. An attacker can create a malicious HTML form to modify user privileges by sending a POST request to the user creation endpoint with administrative access parameters. The vulnerable endpoint is the user creation endpoint. The vulnerable parameter is administrative access parameters. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the user creation endpoint.