CVE-2020-11579

HIGH

Chadha PHPKB 9.0 Enterprise Edition - Unauthenticated Local File Disclosure via Installer Test Connection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-11579. PoCs published by ShielderSec.

AI-analyzed exploit summary This PoC exploits CVE-2020-11579, an arbitrary file disclosure vulnerability in PHPKB via a rogue MySQL server. It leverages the LOAD DATA LOCAL feature to exfiltrate files from the target system.

Description

An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.

Exploits (1)

nomisec WORKING POC 25 stars
by ShielderSec · poc
https://github.com/ShielderSec/CVE-2020-11579

This PoC exploits CVE-2020-11579, an arbitrary file disclosure vulnerability in PHPKB via a rogue MySQL server. It leverages the LOAD DATA LOCAL feature to exfiltrate files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: PHPKB (Knowledge Base Script) versions with MySQL client vulnerability
No auth needed
Prerequisites: Network access to the target PHPKB instance · Ability to expose a rogue MySQL server on a reachable host/port
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory x_refsource_misc
https://shielder.it/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/ShielderSec/CVE-2020-11579
Exploit, Third Party Advisory x_refsource_misc
https://www.shielder.it/blog/mysql-and-cve-2020-11579-exploitation/
Product x_refsource_misc
https://www.phpkb.com

Scores

CVSS v3 7.5
EPSS 0.2646
EPSS Percentile 97.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-306
Status published
Products (1)
chadhaajay/phpkb 9.0
Published Sep 03, 2020
Tracked Since Feb 18, 2026