CVE-2020-37005
Published: 29 January 2026
Summary
CVE-2020-37005 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1087.001); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-37005 is an authenticated time-based SQL injection vulnerability (CWE-89) in TimeClock Software version 1.01. The issue affects the add_entry.php endpoint, where the 'notes' parameter can be manipulated to inject conditional time delays, allowing attackers to enumerate valid usernames by measuring differences in response times.
Exploitation requires network access and low-privilege authentication (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, base score 7.1). An authenticated attacker can remotely trigger time-based blind SQL injection queries to confirm the existence of specific usernames, achieving high confidentiality impact through user enumeration while causing low integrity impact and no availability disruption.
Public resources include an Exploit-DB proof-of-concept (exploit 48874), a VulnCheck advisory on the authenticated time-based SQL injection, and an archived version of the TimeClock Software website. No specific patch or mitigation details are provided in the referenced materials.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30916
Vulnerability details
TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the 'notes' parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time…
more
differences.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated blind SQLi enables direct enumeration of valid local usernames via response timing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the 'notes' parameter in add_entry.php to reject SQL syntax and time-delay payloads before they reach the database.
Limits the database privileges granted to the low-privilege authenticated account so that even a successful time-based injection cannot enumerate or extract arbitrary user data.
Enables monitoring of query response times and anomalous SQL patterns at the add_entry.php endpoint to identify blind time-based enumeration attempts.