CVE-2020-23711
Description
SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A blind SQL injection vulnerability in NavigateCMS 2.9 allows remote attackers to extract or manipulate database content via a crafted GET input 'category' parameter.
Vulnerability
The blind SQL injection vulnerability exists in NavigateCMS version 2.9. It resides in the navigate.php file, specifically through the URL-encoded GET input parameter category. An attacker can inject SQL payloads via this parameter, as demonstrated by the proof-of-concept payloads that use sleep() functions [1].
Exploitation
An attacker needs only a network connection to the vulnerable NavigateCMS instance. No prior authentication is required. By sending a crafted HTTP GET request with a malicious category parameter (e.g., category==(select(0)from(select(sleep(0)))v)/*...*/), the attacker can exploit the blind SQL injection to infer information from the database using time-based techniques [1].
Impact
Successful exploitation allows an attacker to read, update, and delete arbitrary data or tables from the backend database. Depending on the database configuration and operating system, the attacker may also be able to execute commands on the underlying operating system [1]. This can lead to full compromise of the CMS and the hosting server.
Mitigation
As of the publication of this CVE, the vendor has not released a patched version. The issue was reported on the NavigateCMS GitHub repository, but no official update or commit fixing the vulnerability is available [1]. Users should consider disabling access to the vulnerable navigate.php file or implementing a web application firewall (WAF) rule to block malicious category input until a patch is provided.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- NavigateCMS/NavigateCMSdescription
- Range: <= 2.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the URL-encoded GET `category` parameter allows blind SQL injection."
Attack vector
An attacker sends a crafted HTTP GET request to `navigate.php` with a malicious payload in the `category` parameter. The payload uses SQL `SLEEP()` functions to perform blind time-based SQL injection, allowing the attacker to infer information from the database based on response delays [ref_id=1]. The payload is URL-encoded and includes stacked SQL subqueries wrapped in comment syntax to bypass basic filters [ref_id=1]. The attack requires no authentication and can be launched remotely over HTTP.
Affected code
The vulnerability exists in `navigate.php` within the NavigateCMS 2.9 codebase [ref_id=1]. The `category` GET input parameter is processed without sanitization, allowing SQL injection payloads to reach the database query.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation code or vendor fix guidance. To close this vulnerability, the application must properly sanitize or parameterize the `category` GET input before using it in SQL queries, preventing attacker-controlled data from being interpreted as SQL code.
Preconditions
- networkAttacker must be able to send HTTP requests to the NavigateCMS instance.
- inputThe `category` GET parameter must be accepted and processed by navigate.php without sanitization.
Reproduction
Send a GET request to the NavigateCMS instance with a blind SQL injection payload in the `category` parameter. Example from [ref_id=1]: `http://<host>:8012/navigate/navigate/navigate.php?_bogus=1592542677572&act=items_order&category==(select(0)from(select(sleep(10)))v)/*%27%2B(select(0)from(select(sleep(10)))v)%2B%27%22%2B(select(0)from(select(sleep(10)))v)%2B%22*/&fid=items`. A noticeable delay in the server response confirms the blind SQL injection is exploitable.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/NavigateCMS/Navigate-CMS/issues/20mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.