CVE-2020-37054
Published: 30 January 2026
Summary
CVE-2020-37054 is a medium-severity CSRF (CWE-352) vulnerability in Naviwebs Navigate Cms. Its CVSS base score is 4.3 (Medium).
Operationally, ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
NVD Description
Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.
Deeper analysisAI
Navigate CMS version 2.8.7 is affected by CVE-2020-37054, a cross-site request forgery (CSRF) vulnerability classified under CWE-352. The flaw exists in the extension upload functionality, which lacks proper validation, enabling attackers to upload malicious extensions through a crafted HTML page. This issue has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, and low privilege requirements.
Remote attackers can exploit this vulnerability by tricking authenticated administrators (requiring low privileges) into interacting with a malicious HTML page. Upon submission, the forged request bypasses CSRF protections and uploads arbitrary files disguised as extensions, potentially leading to integrity impacts such as server compromise through malicious code execution.
References include advisories from VulnCheck detailing the CSRF issue, an exploit proof-of-concept on Exploit-DB (ID 48548), and project pages on SourceForge and NavigateCMS.com. No specific patch or mitigation details are outlined in the provided information.
Details
- CWE(s)