CVE-2020-37004
Published: 29 January 2026
Summary
CVE-2020-37004 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2020-37004 is a blind SQL injection vulnerability in Ultimate Project Manager CRM PRO version 2.0.5. The issue affects the /frontend/get_article_suggestion/ endpoint, where attackers can craft malicious search parameters to extract usernames and password hashes from the tbl_users database table using boolean-based inference techniques. It is classified under CWE-89 (SQL Injection) with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting high confidentiality impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. By progressively guessing values through boolean-based blind SQL injection, they can retrieve sensitive user credentials, including usernames and password hashes, potentially enabling further compromise such as account takeover if hashes are cracked.
Advisories and related resources, including those from VulnCheck (https://www.vulncheck.com/advisories/ultimate-project-manager-crm-pro-sqli-credentials-leakage) and Exploit-DB (https://www.exploit-db.com/exploits/48912), provide additional details on the vulnerability. The vendor site is available at https://ultimatepro.codexcube.com/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30915
Vulnerability details
The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to…
more
progressively guess and retrieve user credentials through boolean-based inference techniques.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Blind SQLi in public-facing web endpoint directly enables remote exploitation (T1190) and extraction of DB-stored credentials (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the get_article_suggestion endpoint, blocking the crafted search parameters that enable boolean-based blind SQL injection.
Enforces that only authorized queries may access tbl_users, preventing the unauthorized extraction of credentials that the injection bypasses.
Enables monitoring of database query patterns and anomalies at the affected endpoint to identify ongoing boolean-based inference attacks.