CVE-2020-37108

Vulnerability

Overview

CVE-2020-37108 is a SQL injection vulnerability found in PhpIX 2012 Professional, a product by All Hands Marketing Co., Ltd. The flaw resides in the product_detail.php script, where the id parameter is not properly sanitized before being used in a database query. This allows an attacker to inject arbitrary SQL commands by manipulating the id value in the HTTP request [2].

Exploitation

The attack is performed remotely without authentication. An attacker can inject SQL code through the id parameter, as demonstrated in the proof-of-concept: /product_detail.php?id=448578 [2]. The vulnerability is accessible via a web browser, and the vendor's site is listed as http://www.allhandsmarketing.com/ [1]. No special privileges or network position are required beyond the ability to send HTTP requests to the vulnerable endpoint.

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, such as user credentials or other confidential information, or to modify database contents. The CVSS v3 score of 7.1 (High) reflects the potential for significant confidentiality and integrity impact, though the attack complexity of exploitation is low [2].

Mitigation

As of the publication date (2026-02-03), no official patch has not been patcheduled for analysis. The vendor, All Hands Marketing, may have released updates or patches; however, no specific mitigation is mentioned in the provided references. Users should contact the vendor for security updates or consider upgrading to a supported version of the software [1][2].