CVE-2020-37154
Unknown Unknown - Not Provided
Authenticated SQL Injection in eLection 2.0 Enables Remote Code Execution

Publication date: 2026-02-07

Last updated on: 2026-02-07

Assigner: VulnCheck

Description
eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor files to the web application directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-02-07
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-14
NVD
CVE-2020-37154
EUVD
EUVD-2020-31109
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
j3rrybl4nks election 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2020-37154 is an authenticated SQL injection vulnerability found in eLection version 2.0, specifically in the candidate management endpoint. It occurs because the 'id' parameter in SQL commands is not properly sanitized, allowing an attacker with authenticated access to manipulate database queries."}, {'type': 'paragraph', 'content': 'Attackers can exploit this vulnerability using automated tools like SQLMap to perform various SQL injection techniques such as boolean-based blind, time-based blind, and UNION-based injections. This exploitation can lead to uploading backdoor files (PHP web shells) to the web application directory, resulting in remote code execution (RCE) and gaining an operating system shell on the server.'}] [2, 3]

Impact Analysis

This vulnerability can have serious impacts including unauthorized manipulation of the database and potential full remote code execution on the server hosting the eLection application.

  • Attackers with authenticated access can alter database queries, potentially extracting or modifying sensitive data.
  • Exploitation can lead to uploading malicious backdoor files, allowing attackers to execute arbitrary code remotely.
  • Remote code execution can result in complete compromise of the server, including access to the underlying operating system shell.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by intercepting and analyzing POST requests to the candidate management endpoint, specifically targeting the 'id' parameter in requests to `/election/admin/ajax/op_kandidat.php`."}, {'type': 'paragraph', 'content': 'Using SQLMap with high risk and level settings is recommended to test for the SQL injection vulnerability. The suggested command includes specifying the target URL, the vulnerable parameter, and the risk and level options.'}, {'type': 'list_item', 'content': 'sqlmap -u "http://target/election/admin/ajax/op_kandidat.php" --data="aksi=fetch&id=256" -p id --level=5 --risk=3'}, {'type': 'paragraph', 'content': "The vulnerability can be confirmed by testing for Boolean-based blind injection (e.g., `id=256 AND 8584=8584`), time-based blind injection using MySQL's SLEEP function (e.g., `id=256 AND (SELECT 8551 FROM (SELECT(SLEEP(5)))nYfJ)`), and UNION-based injection techniques."}] [3]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37154. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart