Cyber Resilience

CVE-2020-37108

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 20.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37108 is a high-severity SQL Injection (CWE-89) vulnerability in Allhandsmarketing (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-37108 is a SQL injection vulnerability (CWE-89) affecting PhpIX 2012 Professional, specifically in the 'id' parameter of the product_detail.php component. This flaw enables remote attackers to inject malicious SQL code through the parameter, allowing manipulation of database queries to potentially extract or modify database information. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and was published on 2026-02-03.

Attackers with low privileges, such as authenticated users, can exploit this over the network with low complexity and no user interaction required. Successful exploitation grants high confidentiality impact, enabling extraction of sensitive data, alongside low integrity impact for limited data modifications, but no availability disruption.

References include an Exploit-DB entry at https://www.exploit-db.com/exploits/48138 detailing a public exploit, a VulnCheck advisory at https://www.vulncheck.com/advisories/phpix-professional-id-sql-injection, and sites http://www.allhandsmarketing.com/ and http://www.pcollectionnecktie.com/sandbox/. These resources provide further details on the vulnerability, though specific mitigation guidance such as patching or input validation is outlined in the advisories.

EU & UK References

Vulnerability details

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing PHP web app directly enables remote exploitation (T1190) and database data access/exfiltration (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Allhandsmarketing
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'id' parameter in product_detail.php to block malicious SQL syntax before query execution.

prevent

Mandates timely patching or code fixes for the known SQL injection flaw in PhpIX 2012 Professional.

prevent

Limits database account privileges so that even a successful injection via the 'id' parameter yields minimal data exposure or modification.

References