← back
CVE-2020-37217

Easy2Pilot 7 Cross-Site Request Forgery via admin.php

CVSS 5.1 MEDIUMEPSS 0.1%CWE-352
Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add_user endpoint with POST requests containing username and password parameters to create new administrative accounts without explicit user consent.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Affected products
Easy2Pilot · Easy2Pilot
public PoCs found1
cve_referencewww.exploit-db.com/exploits/48099unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://easy2pilot-v7.com/https://www.exploit-db.com/exploits/48099https://www.vulncheck.com/advisories/easy2pilot-7-cross-site-request-forgery-via-admin-php