CVE-2020-37145

MEDIUM 4.3

HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges.

CWE	CWE-352
Vendor	hrsale
Product	hrsale
Published	Feb 5, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for hrsale hrsale

Be the first to know when new medium vulnerabilities affecting hrsale hrsale are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

HRSALE / HRSALE

1.1.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/48205 web.archive.org: https://web.archive.org/web/20200109113640/http://hrsale.com/ vulncheck.com: https://www.vulncheck.com/advisories/hrsale-cross-site-request-forgery-add-admin

Credits

Ismail Akıcı