CVE-2020-35329

MEDIUM

Courier Management System 1.0 - SQL Injection via MULTIPART street Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35329. PoCs published by Zhaiyi.

AI-analyzed exploit summary This exploit demonstrates a time-based blind SQL injection vulnerability in Courier Management System 1.0 via the 'street' parameter in a multipart form submission. The payload uses a SLEEP function to confirm the vulnerability, allowing database enumeration via sqlmap.

Description

Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.

Exploits (1)

exploitdb WORKING POC

by Zhaiyi · textwebappsphp

https://www.exploit-db.com/exploits/49242

View Code ZIP pw:eip

This exploit demonstrates a time-based blind SQL injection vulnerability in Courier Management System 1.0 via the 'street' parameter in a multipart form submission. The payload uses a SLEEP function to confirm the vulnerability, allowing database enumeration via sqlmap.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Courier Management System 1.0

Auth required

Prerequisites: Authenticated session · Burp Suite or similar intercepting proxy · sqlmap

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49242

Scores

CVSS v3 6.5

EPSS 0.0130

EPSS Percentile 66.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (1)

courier_management_system_project/courier_management_system 1.0

Published Mar 04, 2021

Tracked Since Feb 18, 2026