CVE-2020-37083

HIGH

PHP AddressBook 9.0.0.1 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37083. PoCs published by David Velazquez.

AI-analyzed exploit summary This Python script demonstrates a time-based blind SQL injection vulnerability in addressbook 9.0.0.1 by injecting a SLEEP(5) payload into the 'id' parameter of photo.php. It checks for vulnerability by measuring the response time delay.

Description

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint.

Exploits (1)

exploitdb WORKING POC
by David Velazquez · textwebappsphp
https://www.exploit-db.com/exploits/48416

This Python script demonstrates a time-based blind SQL injection vulnerability in addressbook 9.0.0.1 by injecting a SLEEP(5) payload into the 'id' parameter of photo.php. It checks for vulnerability by measuring the response time delay.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: addressbook 9.0.0.1
No auth needed
Prerequisites: Network access to the target application · The photo.php endpoint must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48416
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/addressbook-id-sql-injection

Scores

CVSS v3 8.2
EPSS 0.0030
EPSS Percentile 21.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
chatelao/PHP Address Book 9.0.0.1
Published Feb 03, 2026
Tracked Since Feb 18, 2026