CVE-2020-37046 in Sistem Informasi Pengumuman Kelulusan Online
Summary
by MITRE • 01/31/2026
Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/31/2026
The Sistem Informasi Pengumuman Kelulusan Online 1.0 application presents a critical cross-site request forgery vulnerability identified as CVE-2020-37046 which fundamentally compromises the system's administrative access control mechanisms. This vulnerability resides within the tambahuser.php endpoint, which serves as the user creation interface for the application's administrative functions. The flaw represents a classic csrf attack vector where an attacker can manipulate the application's behavior through carefully crafted malicious requests that appear to originate from legitimate administrative sessions. The vulnerability stems from the absence of proper anti-forgery token validation or session consistency checks within the user creation process, allowing unauthorized actors to exploit the application's trust relationship with authenticated users.
The technical implementation of this vulnerability demonstrates a failure in the application's security architecture where the tambahuser.php endpoint lacks sufficient validation mechanisms to distinguish between legitimate administrative requests and maliciously crafted submissions. Attackers can construct malicious HTML forms that automatically submit administrative credentials to the vulnerable endpoint, bypassing normal authentication and authorization controls. This flaw operates under the principles of CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities, where the application fails to validate that requests originate from legitimate sources within the same origin. The vulnerability allows for arbitrary administrative account creation, providing attackers with persistent access to the system's administrative functions and enabling them to manipulate user permissions, modify system configurations, or access sensitive data.
The operational impact of this vulnerability extends far beyond simple unauthorized access, as it provides attackers with complete administrative control over the application's user management system. Once an attacker successfully exploits this vulnerability, they can create new administrative accounts with full privileges, effectively compromising the entire application's security posture. The implications include potential data breaches, unauthorized modification of exam results, manipulation of user access controls, and the ability to establish backdoor accounts that persist even after the initial exploitation attempt. This vulnerability directly violates the principle of least privilege and can lead to cascading security failures throughout the system, as administrative accounts typically possess elevated permissions that can be leveraged to access other system components or databases.
Mitigation strategies for CVE-2020-37046 must focus on implementing robust anti-forgery token mechanisms and ensuring proper request validation within the application's administrative endpoints. The recommended approach involves incorporating unique, unpredictable tokens for each user session that must be validated before any administrative operations are processed, following the principles outlined in the OWASP CSRF Prevention Cheat Sheet. Additionally, implementing proper origin validation, requiring referer headers, and establishing strict session management controls will significantly reduce the attack surface. The application should also enforce rate limiting on user creation requests and implement comprehensive logging of administrative activities to detect unauthorized access attempts. Organizations should also consider implementing the ATT&CK framework's T1078 technique for legitimate credentials and T1548.003 for abuse of sudo privileges, as these techniques can help identify and prevent exploitation of administrative account creation vulnerabilities. Regular security audits and penetration testing should be conducted to ensure that similar vulnerabilities are not present in other administrative endpoints within the application.