CVE-2020-36084

CriticalPublic PoC

Published: 05 February 2025

Published

05 February 2025

Modified

02 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0059 69.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL Injection vulnerability in SourceCodester Responsive E-Learning System 1.0 allows remote attackers to inject sql query in /elearning/delete_teacher_students.php?id= parameter via id field.

Security Summary

CVE-2020-36084 is a SQL injection vulnerability (CWE-89) in SourceCodester Responsive E-Learning System 1.0. The flaw resides in the /elearning/delete_teacher_students.php endpoint, where the 'id' parameter fails to properly sanitize user input, allowing remote attackers to inject arbitrary SQL queries.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no privileges, no user interaction, and unchanged impact scope. Remote unauthenticated attackers can execute malicious SQL queries to achieve high impacts on confidentiality, integrity, and availability, such as extracting sensitive data, modifying records, or disrupting database operations.

A proof-of-concept exploit is publicly available on Exploit-DB at https://www.exploit-db.com/exploits/49357. No vendor advisories or patch details are referenced in the available information.

Details

CWE(s): CWE-89

Affected Products

jkev

responsive e-learning system

1.0

References

https://www.exploit-db.com/exploits/49357
Exploit, Third Party Advisory · cve@mitre.org