CVE-2020-37081
Published: 03 February 2026
Summary
CVE-2020-37081 is a high-severity SQL Injection (CWE-89) vulnerability in Fishingreservationsystem (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37081 affects Fishing Reservation System version 7.5 and consists of multiple remote SQL injection vulnerabilities (CWE-89). These flaws exist in the admin.php, cart.php, and calendar.php components, where parameters including uid, pid, type, m, y, and code fail to properly sanitize user input, allowing attackers to inject malicious SQL commands. The vulnerability enables compromise of the underlying database management system and web application.
Remote attackers require no privileges (PR:N) and can exploit the issues over the network (AV:N) with low attack complexity (AC:L), though user interaction is required (UI:R). Successful exploitation grants high confidentiality impact (C:H) such as data extraction, low integrity impact (I:L), and no availability impact (A:N), yielding a CVSS v3.1 base score of 7.1 (S:U). The description notes that attacks can occur without user interaction, potentially through crafted requests to vulnerable endpoints.
Advisories and related resources, including those from VulnCheck (https://www.vulncheck.com/advisories/fishing-reservation-system-uid-sql-injection), Vulnerability Lab (https://www.vulnerability-lab.com/get_content.php?id=2243), and an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48417), provide further details on the issues. The vendor site (https://fishingreservationsystem.com/index.html) is referenced for additional context.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30994
Vulnerability details
Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database…
more
management system and web application without user interaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in public-facing web app components enables exploitation of the application and underlying database.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input parameters (uid, pid, type, m, y, code) in admin.php, cart.php and calendar.php to block malicious SQL statements.
Mandates timely remediation of the identified SQL-injection flaws in version 7.5 so the vulnerable code paths are removed or corrected.
Boundary-protection mechanisms such as WAF rules can inspect and block SQL-injection payloads before they reach the vulnerable PHP endpoints.