CVE-2020-36945
SQL Injection in WebDamn Login Allows Unauthorized Access
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webdamn | user_registration_login_system | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection in the WebDamn User Registration Login System that allows attackers who are not authenticated to bypass login authentication. By injecting a specific payload ('<email>' OR '1'='1') into both the username and password fields, attackers can manipulate the system to gain unauthorized access to the user panel.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass authentication controls and gain unauthorized access to the user panel, potentially leading to unauthorized data access or manipulation. This compromises the security of the system and the confidentiality of user information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this SQL injection vulnerability by attempting to inject the payload '<email>' OR '1'='1' into the username and password fields of the login form. If the system allows login without valid credentials, it indicates the vulnerability. Specific commands depend on your testing tools, but a simple test can be done using curl or a web proxy to send POST requests with the injection payload in the login parameters.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying input validation and parameterized queries to prevent SQL injection. Restricting direct database queries from user input and implementing proper authentication checks are essential. If a patch or update is available from the vendor, apply it promptly. Additionally, monitor login attempts for suspicious activity and consider temporarily disabling the vulnerable login functionality until fixed.