CVE-2020-36945
Published: 28 January 2026
Summary
CVE-2020-36945 is a high-severity SQL Injection (CWE-89) vulnerability in Webdamn (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-36945 is a SQL injection vulnerability (CWE-89) in the WebDamn User Registration Login System, a PHP/MySQL-based user management component. The flaw resides in the login authentication process, where attackers can manipulate email credentials to bypass verification. Specifically, injecting the payload '<email>' OR '1'='1' into both the username and password fields allows unauthorized access to the user panel. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility and significant confidentiality impact.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. By submitting the crafted SQL payload during login attempts, they bypass authentication entirely and gain access to the protected user panel, potentially exposing sensitive user data while enabling limited integrity modifications.
Advisories and references, including Exploit-DB (exploit 49170), Vulncheck, and the WebDamn project pages, document the issue and provide proof-of-concept details but do not specify patches or vendor mitigations in the available information. Security practitioners should review these sources for updates and consider input sanitization or prepared statements as standard SQL injection defenses.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30889
Vulnerability details
WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access…
more
to the user panel.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web login form enables unauthenticated authentication bypass, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of user inputs to the login form, directly preventing SQL injection payloads from manipulating authentication queries.
AC-3 enforces approved access authorizations, mitigating unauthorized entry to the user panel gained via authentication bypass.
SI-2 mandates identification, reporting, and correction of the SQL injection flaw in the WebDamn login system.