CVE-2020-37083

HIGH

PHP AddressBook 9.0.0.1 - SQL Injection

Title source: llm

Description

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint.

Exploits (1)

exploitdb WORKING POC

by David Velazquez · textwebappsphp

https://www.exploit-db.com/exploits/48416

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48416

[Product] https://sourceforge.net/projects/php-addressbook/

[Third Party Advisory] https://www.vulncheck.com/advisories/addressbook-id-sql-injection

Scores

CVSS v3 8.2

EPSS 0.0007

EPSS Percentile 20.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

chatelao/PHP Address Book 9.0.0.1

Published Feb 03, 2026

Tracked Since Feb 18, 2026