CVE-2020-24913

CRITICAL

Qcubed < 3.1.1 - SQL Injection

Title source: rule

Description

A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.

Exploits (2)

nomisec WORKING POC

by shpaw415 · poc

https://github.com/shpaw415/CVE-2020-24913-exploit

View Code ZIP pw:eip

nomisec WORKING POC

by agarma · poc

https://github.com/agarma/CVE-2020-24913-PoC

View Code ZIP pw:eip

References (5)

[Product, Vendor Advisory] http://qcubed.com

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Mar/29

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Mar/30

[Exploit, Patch, Third Party Advisory] https://tech.feedyourhead.at/content/QCubed-SQL-Injection-CVE-2020-24913

[Exploit, Patch, Third Party Advisory] https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-02

Scores

CVSS v3 9.8

EPSS 0.4183

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

qcubed/qcubed < 3.1.1

qcubed/qcubed 0 - 3.2Packagist

Published Mar 04, 2021

Tracked Since Feb 18, 2026