CVE-2020-37008
Published: 29 January 2026
Summary
CVE-2020-37008 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Elektraweb (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
NVD Description
EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user…
more
passwords without proper token authentication.
Deeper analysisAI
CVE-2020-37008 is an authentication bypass vulnerability (CWE-639) affecting EasyPMS version 1.0.0. The flaw enables unprivileged users to manipulate SQL queries via JSON requests, allowing access to admin user information. It arises from weak input validation, where attackers inject single quotes into ID parameters to bypass proper token authentication and modify admin user passwords.
The vulnerability can be exploited remotely over the network (AV:N) by attackers requiring no privileges (PR:N), low attack complexity (AC:L), and no user interaction (UI:N). Exploitation yields high confidentiality impact through admin data disclosure and enables password changes, consistent with its CVSS v3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Advisories from VulnCheck detail the issue, while proof-of-concept exploits are publicly available on Exploit-DB (ID 48858). The vendor site, Elektraweb, is referenced in connection with the software. No specific patches or mitigation steps are outlined in the provided details.
Details
- CWE(s)