Cyber Resilience

CVE-2020-37083

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37083 is a high-severity SQL Injection (CWE-89) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-37083 is a time-based blind SQL injection vulnerability in PHP AddressBook version 9.0.0.1. The issue resides in the photo.php endpoint, where the 'id' parameter fails to properly sanitize input, allowing remote attackers to inject crafted SQL statements that introduce time delays for data exfiltration.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By crafting payloads that cause observable response time differences, attackers can systematically extract sensitive database information, achieving high confidentiality impact with low integrity impact and no availability impact, as reflected in the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and CWE-89 classification.

Mitigation details are available in referenced advisories, including the PHP AddressBook project page at https://sourceforge.net/projects/php-addressbook/, a public exploit demonstration at https://www.exploit-db.com/exploits/48416, and a VulnCheck advisory at https://www.vulncheck.com/advisories/addressbook-id-sql-injection, which security practitioners should consult for patching guidance or version upgrades.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the…

more

photo.php endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Time-based blind SQL injection in unauthenticated photo.php endpoint of public-facing PHP web app directly enables remote exploitation for database data exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Sourceforge
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the 'id' parameter in photo.php to block SQL injection payloads and prevent time-based blind data exfiltration.

prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw in PHP AddressBook version 9.0.0.1 through patching or upgrades.

prevent

Enforces restrictions on the format, length, and type of the 'id' parameter to limit opportunities for crafting malicious time-delay SQL injection inputs.

References