Cyber Resilience

CVE-2020-37051

HighPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37051 is a high-severity SQL Injection (CWE-89) vulnerability in Sunnygkp10 Online-Exam-System-. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2020-37051 is a time-based blind SQL injection vulnerability in the Online-Exam-System 2015 application, specifically affecting the feedback form processed by the 'feed.php' endpoint. This flaw, classified under CWE-89, enables attackers to craft malicious payload requests that leverage time delays to systematically enumerate characters in database password hashes. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its potential for significant confidentiality impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By sending specially crafted requests to 'feed.php', they can extract sensitive database password hashes through blind inference techniques that measure response time differences, potentially compromising user credentials or further escalating access depending on hash strength and reuse.

Advisories from VulnCheck detail the SQL injection in the Online-Exam-System feedback mechanism, while Exploit-DB provides a public proof-of-concept exploit (ID 48560) demonstrating the time-based enumeration. The original source code is available on GitHub at the referenced repository, but no patches or vendor mitigations are specified in the available information. Security practitioners should review these resources for reproduction and apply input validation, prepared statements, or upgrades to remediate.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user…

more

password characters.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a public-facing web application via SQL injection for data/credential extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37057Same product: Sunnygkp10 Online-Exam-System-
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89

Affected Assets

sunnygkp10
online-exam-system-
2015

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs to the feed.php feedback form to block malicious SQL payloads exploiting time-based blind injection.

prevent

Implements boundary protection via web application firewalls to inspect and block network requests containing SQL injection patterns targeting the vulnerable endpoint.

detect

Conducts vulnerability scanning to identify and prioritize SQL injection flaws like CVE-2020-37051 in web applications for remediation.

References