CVE-2020-37051
Published: 30 January 2026
Summary
CVE-2020-37051 is a high-severity SQL Injection (CWE-89) vulnerability in Sunnygkp10 Online-Exam-System-. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2020-37051 is a time-based blind SQL injection vulnerability in the Online-Exam-System 2015 application, specifically affecting the feedback form processed by the 'feed.php' endpoint. This flaw, classified under CWE-89, enables attackers to craft malicious payload requests that leverage time delays to systematically enumerate characters in database password hashes. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its potential for significant confidentiality impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By sending specially crafted requests to 'feed.php', they can extract sensitive database password hashes through blind inference techniques that measure response time differences, potentially compromising user credentials or further escalating access depending on hash strength and reuse.
Advisories from VulnCheck detail the SQL injection in the Online-Exam-System feedback mechanism, while Exploit-DB provides a public proof-of-concept exploit (ID 48560) demonstrating the time-based enumeration. The original source code is available on GitHub at the referenced repository, but no patches or vendor mitigations are specified in the available information. Security practitioners should review these resources for reproduction and apply input validation, prepared statements, or upgrades to remediate.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30930
Vulnerability details
Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user…
more
password characters.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing web application via SQL injection for data/credential extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs to the feed.php feedback form to block malicious SQL payloads exploiting time-based blind injection.
Implements boundary protection via web application firewalls to inspect and block network requests containing SQL injection patterns targeting the vulnerable endpoint.
Conducts vulnerability scanning to identify and prioritize SQL injection flaws like CVE-2020-37051 in web applications for remediation.