CVE-2020-37108
Published: 03 February 2026
Summary
CVE-2020-37108 is a high-severity SQL Injection (CWE-89) vulnerability in Allhandsmarketing (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37108 is a SQL injection vulnerability (CWE-89) affecting PhpIX 2012 Professional, specifically in the 'id' parameter of the product_detail.php component. This flaw enables remote attackers to inject malicious SQL code through the parameter, allowing manipulation of database queries to potentially extract or modify database information. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and was published on 2026-02-03.
Attackers with low privileges, such as authenticated users, can exploit this over the network with low complexity and no user interaction required. Successful exploitation grants high confidentiality impact, enabling extraction of sensitive data, alongside low integrity impact for limited data modifications, but no availability disruption.
References include an Exploit-DB entry at https://www.exploit-db.com/exploits/48138 detailing a public exploit, a VulnCheck advisory at https://www.vulncheck.com/advisories/phpix-professional-id-sql-injection, and sites http://www.allhandsmarketing.com/ and http://www.pcollectionnecktie.com/sandbox/. These resources provide further details on the vulnerability, though specific mitigation guidance such as patching or input validation is outlined in the advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30986
Vulnerability details
PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the 'id' parameter to potentially extract or modify database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing PHP web app directly enables remote exploitation (T1190) and database data access/exfiltration (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'id' parameter in product_detail.php to block malicious SQL syntax before query execution.
Mandates timely patching or code fixes for the known SQL injection flaw in PhpIX 2012 Professional.
Limits database account privileges so that even a successful injection via the 'id' parameter yields minimal data exposure or modification.