CVE-2020-36945

Vulnerability

Overview

CVE-2020-36945 describes a SQL injection vulnerability in the WebDamn User Registration & Login System with User Panel. The login panel. The root cause is improper neutralization of special elements used in an SQL command (CWE-89) [3]. The login form fails to sanitize user-supplied input, allowing an attacker to inject SQL syntax directly into the authentication query.

Exploitation

An unauthenticated attacker can exploit this vulnerability by supplying a specially crafted payload in both the username and password fields. The payload takes the form `' OR '1'='1, where is a valid email address (which may be obtained through data leaks or other means) [4]. No prior authentication or special network access is required, as the login page is publicly accessible.

Impact

Successful exploitation allows the attacker to bypass the login authentication mechanism entirely and gain unauthorized access to the user panel [1][3]. Once inside, the attacker may be able to view, modify, or delete user accounts, access sensitive user data, and perform actions reserved for authenticated users, depending on the privileges of the compromised account.

Mitigation

As of the publication date, no official patch has been released for this vulnerability. The vendor's website still offers the affected software [1][2]. Users are advised to apply input validation and parameterized queries to prevent SQL injection, or to migrate to a more secure authentication system. The exploit has been publicly disclosed on Exploit-DB [4], increasing the risk of active exploitation.