CVE-2020-37057
Published: 30 January 2026
Summary
CVE-2020-37057 is a high-severity SQL Injection (CWE-89) vulnerability in Sunnygkp10 Online-Exam-System-. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37057 is a SQL injection vulnerability in the feedback module of Online-Exam-System 2015. The flaw allows attackers to manipulate database queries through the 'fid' parameter by injecting malicious SQL code, potentially enabling extraction, modification, or deletion of database information. It is classified under CWE-89 with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no required privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity. Successful exploitation grants high-impact confidentiality by extracting sensitive database information, low-impact integrity by modifying data, and no availability disruption, all within the unchanged scope of the application.
Advisories and related resources, including those from Vulncheck and Exploit-DB, provide further details on the vulnerability, with a proof-of-concept exploit available at https://www.exploit-db.com/exploits/48529. The source code for the affected Online-Exam-System 2015 is hosted at https://github.com/sunnygkp10/Online-Exam-System-.git, and mitigation guidance can be found in the Vulncheck advisory at https://www.vulncheck.com/advisories/online-exam-system-fid-sql-injection. No specific patches are detailed in the provided information.
This vulnerability was published on 2026-01-30, with public exploit code indicating potential for real-world abuse in unpatched instances of this legacy online exam system.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30925
Vulnerability details
Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of a public-facing web app via SQL injection matches T1190; DB data extraction/modification is a direct consequence of the flaw.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection vulnerability by defining and enforcing validation of the 'fid' parameter to reject malicious SQL code before database query execution.
Addresses the CVE by requiring timely identification, reporting, and correction of the SQL injection flaw in the feedback module.
Mitigates remote SQL injection exploitation through boundary protection mechanisms like web application firewalls that inspect and block malicious payloads in the 'fid' parameter.