CVE-2020-37083
Unknown Unknown - Not Provided
Time-Based Blind SQL Injection in PHP AddressBook photo.php

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: VulnCheck

Description
PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-14
NVD
CVE-2020-37083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
php_addressbook php_addressbook 9.0.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability. This means that remote attackers can manipulate database queries by injecting specially crafted SQL statements into the 'id' parameter of the photo.php endpoint.

The vulnerability allows attackers to use time delays in their injected SQL to infer information from the database by observing how long the server takes to respond.

Impact Analysis

This vulnerability can allow remote attackers to extract sensitive information from the database without direct access, by exploiting the time delays caused by injected SQL queries.

Because the vulnerability affects confidentiality (as indicated by the CVSS score with high impact on confidentiality), attackers can gain unauthorized access to data, potentially leading to data breaches.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a time-based blind SQL injection in the 'id' parameter of the photo.php endpoint in PHP AddressBook 9.0.0.1. Detection typically involves sending crafted SQL payloads that introduce time delays and observing the response times to identify if the injection is successful.

For example, you can use tools like curl or sqlmap to test the 'id' parameter by injecting SQL statements that cause delays, such as using 'SLEEP()' functions in MySQL.

  • Using curl to test the 'id' parameter with a time delay payload: curl 'http://target/photo.php?id=1 AND IF(SLEEP(5),1,0)'
  • Using sqlmap to automate detection: sqlmap -u 'http://target/photo.php?id=1' --time-sec=5 --technique=T
Mitigation Strategies

Immediate mitigation steps include validating and sanitizing all user inputs, especially the 'id' parameter in photo.php, to prevent SQL injection.

Use prepared statements or parameterized queries to handle database interactions securely.

If possible, update or patch PHP AddressBook to a version where this vulnerability is fixed.

Additionally, consider implementing web application firewalls (WAF) rules to detect and block SQL injection attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart