CVE-2018-8820

HIGH

Square 9 GlobalForms 6.2.x - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8820. PoCs published by hateshape.

AI-analyzed exploit summary This is a functional PoC for CVE-2018-8820, demonstrating an authenticated blind SQL injection in Square 9 GlobalForms 6.2. It uses a time-based delay to verify the vulnerability by injecting a SQL payload into the target URL.

Description

An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQL injection vulnerability in the "match" parameter allows remote authenticated attackers to execute arbitrary SQL commands. It is possible to upgrade access to full server compromise via xp_cmdshell. In some cases, the authentication requirement for the attack can be met by sending the default admin credentials.

Exploits (1)

nomisec WORKING POC 5 stars
by hateshape · poc
https://github.com/hateshape/frevvomapexec

This is a functional PoC for CVE-2018-8820, demonstrating an authenticated blind SQL injection in Square 9 GlobalForms 6.2. It uses a time-based delay to verify the vulnerability by injecting a SQL payload into the target URL.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Square 9 GlobalForms v6.2.x
Auth required
Prerequisites: Target URL/IP and port · Valid credentials (defaults to admin/admin@d)
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Mar/57

Scores

CVSS v3 7.5
EPSS 0.0179
EPSS Percentile 75.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
square-9/globalforms < 6.2
Published Mar 28, 2018
Tracked Since Feb 18, 2026