CVE-2020-37083
Published: 03 February 2026
Summary
CVE-2020-37083 is a high-severity SQL Injection (CWE-89) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37083 is a time-based blind SQL injection vulnerability in PHP AddressBook version 9.0.0.1. The issue resides in the photo.php endpoint, where the 'id' parameter fails to properly sanitize input, allowing remote attackers to inject crafted SQL statements that introduce time delays for data exfiltration.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By crafting payloads that cause observable response time differences, attackers can systematically extract sensitive database information, achieving high confidentiality impact with low integrity impact and no availability impact, as reflected in the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and CWE-89 classification.
Mitigation details are available in referenced advisories, including the PHP AddressBook project page at https://sourceforge.net/projects/php-addressbook/, a public exploit demonstration at https://www.exploit-db.com/exploits/48416, and a VulnCheck advisory at https://www.vulncheck.com/advisories/addressbook-id-sql-injection, which security practitioners should consult for patching guidance or version upgrades.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30992
Vulnerability details
PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the…
more
photo.php endpoint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Time-based blind SQL injection in unauthenticated photo.php endpoint of public-facing PHP web app directly enables remote exploitation for database data exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the 'id' parameter in photo.php to block SQL injection payloads and prevent time-based blind data exfiltration.
Mandates identification, reporting, and correction of the specific SQL injection flaw in PHP AddressBook version 9.0.0.1 through patching or upgrades.
Enforces restrictions on the format, length, and type of the 'id' parameter to limit opportunities for crafting malicious time-delay SQL injection inputs.