Cyber Resilience

CVE-2020-37005

HighPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 14.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37005 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1087.001); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2020-37005 is an authenticated time-based SQL injection vulnerability (CWE-89) in TimeClock Software version 1.01. The issue affects the add_entry.php endpoint, where the 'notes' parameter can be manipulated to inject conditional time delays, allowing attackers to enumerate valid usernames by measuring differences in response times.

Exploitation requires network access and low-privilege authentication (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, base score 7.1). An authenticated attacker can remotely trigger time-based blind SQL injection queries to confirm the existence of specific usernames, achieving high confidentiality impact through user enumeration while causing low integrity impact and no availability disruption.

Public resources include an Exploit-DB proof-of-concept (exploit 48874), a VulnCheck advisory on the authenticated time-based SQL injection, and an archived version of the TimeClock Software website. No specific patch or mitigation details are provided in the referenced materials.

EU & UK References

Vulnerability details

TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time…

more

differences.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
Why these techniques?

Authenticated blind SQLi enables direct enumeration of valid local usernames via response timing.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2020-37244Shared CWE-89
CVE-2018-25418Shared CWE-89
CVE-2025-26136Shared CWE-89
CVE-2024-57620Shared CWE-89
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2019-25537Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2019-25366Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the 'notes' parameter in add_entry.php to reject SQL syntax and time-delay payloads before they reach the database.

prevent

Limits the database privileges granted to the low-privilege authenticated account so that even a successful time-based injection cannot enumerate or extract arbitrary user data.

detect

Enables monitoring of query response times and anomalous SQL patterns at the add_entry.php endpoint to identify blind time-based enumeration attempts.

References