CVE-2020-24913

CRITICAL

qcubed < 3.1.1 and >=0 < 3.2 - Unauthenticated SQL Injection via profile.php strQuery Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-24913. PoCs published by shpaw415, agarma.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-24913, targeting a SQL injection vulnerability in qcubed/profile.php. The exploit supports various modes for testing vulnerability, brute-forcing tables/columns, and extracting data.

Description

A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.

Exploits (2)

nomisec WORKING POC
by shpaw415 · poc
https://github.com/shpaw415/CVE-2020-24913-exploit

This repository contains a functional exploit for CVE-2020-24913, targeting a SQL injection vulnerability in qcubed/profile.php. The exploit supports various modes for testing vulnerability, brute-forcing tables/columns, and extracting data.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: qcubed 2.2
No auth needed
Prerequisites: Bun runtime · target URL with vulnerable qcubed/profile.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by agarma · poc
https://github.com/agarma/CVE-2020-24913-PoC

This PoC demonstrates a SQL injection vulnerability in qcubed (all versions including 3.1.1) via the strQuery parameter in profile.php. It uses a time-based approach to exploit the vulnerability, as stacked queries are not feasible with MySQL.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: qcubed (all versions including 3.1.1)
No auth needed
Prerequisites: Access to the vulnerable endpoint · MySQL database backend
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Product, Vendor Advisory x_refsource_misc
http://qcubed.com
Exploit, Patch, Third Party Advisory x_refsource_misc
https://tech.feedyourhead.at/content/QCubed-SQL-Injection-CVE-2020-24913
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Mar/30
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Mar/29

Scores

CVSS v3 9.8
EPSS 0.4305
EPSS Percentile 97.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (2)
qcubed/qcubed < 3.1.1
qcubed/qcubed 0 - 3.2Packagist
Published Mar 04, 2021
Tracked Since Feb 18, 2026