cbcvebase.
CVE-2020-36112
published 2021-01-04

CVE-2020-36112: CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.17%
96.7th percentile
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database on which the web application is running.

Affected

1 ranges
VendorProductVersion rangeFixed in
cse_bookstore_projectcse_bookstore

Detection & IOCsextracted from sources · hover to see the quote

url/ebook/bookPerPub.php?pubid=4'
path/ebook/bookPerPub.php
  • Detect SQL injection exploitation attempts by matching HTTP response body for MySQL error strings triggered by injecting a single quote into the `pubid` parameter of bookPerPub.php
  • Monitor GET requests to bookPerPub.php and cart.php with the `pubid` parameter containing SQL metacharacters (e.g., single quote) as indicators of time-based blind, boolean-based blind, or OR error-based SQL injection attempts
  • ·The detection rule requires only 1 HTTP request (max-request: 1) and targets unauthenticated access — no session or authentication token is needed, meaning the attack surface is fully exposed to anonymous internet traffic
  • ·Vulnerability affects specifically CSE Bookstore version 1.0; the injected parameter is `pubid` in both bookPerPub.php and cart.php — detections scoped only to bookPerPub.php will miss the cart.php attack vector

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.