How to fix CVE-2020-37051?

Within 24 hours: Disable the feedback form or restrict access to authenticated users only; notify system owners and initiate incident response protocols. Within 7 days: Deploy WAF rules to block SQL injection patterns in feedback parameters; conduct database audit for unauthorized access logs. Within 30 days: Evaluate system replacement or major version upgrade; implement input validation and parameterized queries; rotate all database credentials.

Is PHP affected by CVE-2020-37051?

A critical SQL injection vulnerability in our Online-Exam-System 2015 feedback form enables attackers to extract database password hashes without authentication. This threatens credential compromise and potential unauthorized access to sensitive educational records and system infrastructure.

CVE-2020-37051

HIGH

2026-01-30 [email protected]

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Mar 12, 2026 - 18:49 vuln.today

Public exploit code

CVE Published

Jan 30, 2026 - 23:16 nvd

HIGH 8.2

Description

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters.

Analysis

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. [CVSS 8.2 HIGH]

Technical Context

Classified as CWE-89 (SQL Injection). Affects Online-Exam-System-. Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters.

Affected Products

Vendor: Sunnygkp10. Product: Online-Exam-System-. Versions: up to 2015.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: +20

CVE-2020-37051 vulnerability details – vuln.today

Back

CVE-2020-37051

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2020-37051

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code