CVE-2020-35597
Description
Victor CMS 1.0 is vulnerable to SQL injection via c_id parameter of admin_edit_comment.php, p_id parameter of admin_edit_post.php, u_id parameter of admin_edit_user.php, and edit parameter of admin_update_categories.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Victor CMS 1.0 is vulnerable to authenticated SQL injection in multiple admin parameters, allowing attackers to execute arbitrary SQL commands.
Vulnerability
Victor CMS 1.0 is vulnerable to SQL injection in the admin panel. The injection occurs via the c_id parameter in admin_edit_comment.php, p_id in admin_edit_post.php, u_id in admin_edit_user.php, and edit in admin_update_categories.php [1][2][3]. The application fails to sanitize these inputs, allowing an attacker to manipulate SQL queries.
Exploitation
Exploitation requires prior authentication to the Victor CMS admin panel [1][2]. An attacker registers an account, logs in, and navigates to the edit pages (e.g., comments, posts, users, categories). When clicking edit, a GET request with the vulnerable parameter is sent. The attacker can inject SQL payloads, such as AND SLEEP(10), to perform time-based blind injection or use tools like sqlmap to extract data [1][2].
Impact
Successful SQL injection can lead to disclosure of sensitive information (e.g., user credentials, database contents), modification of data, or potential compromise of the underlying server depending on database privileges. The attacker gains read and possibly write access to the application database [1][2][3].
Mitigation
No official fix has been released by the vendor; the GitHub repository was archived in March 2022 and is now read-only [3]. Users should immediately consider disabling or removing Victor CMS 1.0 from production environments. As a workaround, implement input validation and parameterized queries for the affected parameters, though this requires code modification [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in ID parameters allows direct SQL query manipulation."
Attack vector
An authenticated attacker first registers and logs into Victor CMS [ref_id=1][ref_id=2]. After login, the attacker navigates to the admin tabs for posts, categories, comments, or users and clicks the edit button on any record. The resulting GET request includes an unsanitized ID parameter (c_id, p_id, u_id, or edit) that is directly interpolated into a SQL query [ref_id=1][ref_id=2]. The attacker appends SQL payloads — such as `AND SLEEP(10)` — to these parameters to extract or manipulate database contents [ref_id=1][ref_id=2].
Affected code
The vulnerability exists in four admin files: `admin_edit_comment.php` (c_id parameter), `admin_edit_post.php` (p_id parameter), `admin_edit_user.php` (u_id parameter), and `admin_update_categories.php` (edit parameter) [ref_id=1][ref_id=2]. These files accept user-supplied ID parameters via GET requests without sanitization before using them in SQL queries.
What the fix does
No patch is provided in the bundle. The advisory does not include a fix commit or remediation guidance from the vendor [ref_id=1][ref_id=2]. To close this vulnerability, the application should use prepared statements or parameterized queries for all database operations involving user-supplied ID parameters, and input validation should ensure that ID values are numeric or otherwise expected types before being passed to SQL queries.
Preconditions
- authAttacker must register an account and log in to Victor CMS
- inputAttacker must navigate to an admin edit page (posts, categories, comments, or users)
- inputThe vulnerable parameters (c_id, p_id, u_id, edit) are passed via GET request without sanitization
Reproduction
1. Register an account on the Victor CMS main page and log in [ref_id=1][ref_id=2]. 2. Navigate to one of the admin tabs (Posts, Categories, Comments, or Users) and click the edit button on a record. 3. Intercept the resulting GET request and inject a SQL payload into the ID parameter. For example: `GET /cve/admin/comment.php?source=edit_comment&c_id=2%20AND%20SLEEP(10) HTTP/1.1` [ref_id=1][ref_id=2]. 4. Observe a time delay in the response, confirming the SQL injection. The same technique works for all four vulnerable parameters [ref_id=1][ref_id=2].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- cxsecurity.com/issue/WLB-2020120118mitrex_refsource_MISC
- github.com/VictorAlagwu/CMSsite/issues/16mitrex_refsource_MISC
- www.exploit-db.com/exploits/49282mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.