Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-37033

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Jan, 2026 | 22:07
Updated At-02 Feb, 2026 | 20:13
Rejected At-
Credits

Infor Storefront B2B 1.0 - 'usr_name' SQL Injection

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to potentially extract or modify database information.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Jan, 2026 | 22:07
Updated At:02 Feb, 2026 | 20:13
Rejected At:
▼CVE Numbering Authority (CNA)
Infor Storefront B2B 1.0 - 'usr_name' SQL Injection

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to potentially extract or modify database information.

Affected Products
Vendor
Insite Software
Product
Infor Storefront B2B
Versions
Affected
  • 1.0
Problem Types
TypeCWE IDDescription
CWECWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
4.08.8HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Version: 4.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
ratboy
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.exploit-db.com/exploits/48674
exploit
https://web.archive.org/web/20191223051205/https://www.insitesoft.com/infor-storefront/
product
https://www.vulncheck.com/advisories/infor-storefront-bb-usrname-sql-injection
third-party-advisory
Hyperlink: https://www.exploit-db.com/exploits/48674
Resource:
exploit
Hyperlink: https://web.archive.org/web/20191223051205/https://www.insitesoft.com/infor-storefront/
Resource:
product
Hyperlink: https://www.vulncheck.com/advisories/infor-storefront-bb-usrname-sql-injection
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Jan, 2026 | 23:16
Updated At:03 Feb, 2026 | 16:44

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to potentially extract or modify database information.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.8HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-89Primarydisclosure@vulncheck.com
CWE ID: CWE-89
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://web.archive.org/web/20191223051205/https://www.insitesoft.com/infor-storefront/disclosure@vulncheck.com
N/A
https://www.exploit-db.com/exploits/48674disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/infor-storefront-bb-usrname-sql-injectiondisclosure@vulncheck.com
N/A
Hyperlink: https://web.archive.org/web/20191223051205/https://www.insitesoft.com/infor-storefront/
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.exploit-db.com/exploits/48674
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/infor-storefront-bb-usrname-sql-injection
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

64Records found
CVE-2020-37076
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.10% / 27.98%
||
7 Day CHG+0.06%
Published-03 Feb, 2026 | 22:01
Updated-10 Feb, 2026 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Victor CMS 1.0 - 'post' SQL Injection

Victor CMS version 1.0 contains a SQL injection vulnerability in the 'post' parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based, error-based, and time-based injection techniques.

Action-Not Available
Vendor-victor_cms_projectVictorAlagwu
Product-victor_cmsCMSsite
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-36945
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.20% / 41.46%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 17:35
Updated-29 Jan, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass

WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel.

Action-Not Available
Vendor-WEBDAMN.COM
Product-WebDamn User Registration & Login System with User Panel
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-36951
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.04% / 13.23%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 15:23
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection

Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques.

Action-Not Available
Vendor-geraked
Product-phpscript-sgh
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-37004
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||NONE
EPSS-0.04% / 10.76%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 14:28
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage

Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques.

Action-Not Available
Vendor-codexcube
Product-Ultimate Project Manager CRM PRO
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-37006
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||NONE
EPSS-0.05% / 15.61%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 14:28
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
berliCRM 1.0.24 - 'src_record' SQL Injection

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information.

Action-Not Available
Vendor-crm-now GmbH
Product-berliCRM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-37051
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.04% / 13.23%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 22:07
Updated-03 Feb, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Online-Exam-System 2015 - 'feedback' SQL Injection

Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the 'feed.php' endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters.

Action-Not Available
Vendor-sunnygkp10
Product-Online-Exam-System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-37163
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.06% / 18.61%
||
7 Day CHG~0.00%
Published-06 Feb, 2026 | 23:14
Updated-10 Feb, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QuickDate 1.3.2 - SQL Injection

QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, database name, and system version.

Action-Not Available
Vendor-QuickDate
Product-QuickDate
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-37089
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.03% / 8.75%
||
7 Day CHG-0.00%
Published-03 Feb, 2026 | 22:01
Updated-10 Feb, 2026 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
School ERP Pro 1.0 - 'es_messagesid' SQL Injection

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information.

Action-Not Available
Vendor-aroxArox
Product-school_erp_proSchool ERP Pro
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-36972
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.03% / 8.35%
||
7 Day CHG-0.01%
Published-28 Jan, 2026 | 17:35
Updated-09 Feb, 2026 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SmartBlog 2.0.1 - 'id_post' Blind SQL injection

SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the 'id_post' parameter of the details controller that allows attackers to extract database information. Attackers can systematically test and retrieve database contents by injecting crafted SQL queries that compare character-by-character of database information.

Action-Not Available
Vendor-smartdatasoftsmartdatasoft
Product-smartblogSmartBlog
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-37057
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.04% / 13.23%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 22:07
Updated-03 Feb, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Online-Exam-System 2015 - 'fid' SQL Injection

Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information.

Action-Not Available
Vendor-sunnygkp10
Product-Online-Exam-System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-50895
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.05% / 13.91%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 22:51
Updated-14 Jan, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aero CMS 0.0.1 - SQL Injection

Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system.

Action-Not Available
Vendor-MegaTKC
Product-Aero CMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-50694
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.21% / 42.80%
||
7 Day CHG+0.03%
Published-30 Dec, 2025 | 22:41
Updated-16 Jan, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x SQL Injection via Username Parameter

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and potentially access unauthorized database information.

Action-Not Available
Vendor-sound4Kantar MediaSOUND4 Ltd.
Product-pulsebig_voice4_firmwarefirstpulse_firmwarewm2pulse_eco_firmwareimpact_ecoimpact_eco_firmwarebig_voice4stream_extensionwm2_firmwarefirst_firmwareimpactbig_voice2impact_firmwarepulse_ecobig_voice2_firmwareBigVoice4WM2StreamImpact/Pulse/FirstBigVoice2Impact/Pulse Eco
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-50805
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.05% / 13.91%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 22:51
Updated-14 Jan, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Senayan Library Management System 9.0.0 - SQL Injection

Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially extract sensitive information.

Action-Not Available
Vendor-SLIMS
Product-Senayan Library Management System
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-50594
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.8||HIGH
EPSS-0.16% / 37.19%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:57
Updated-24 Nov, 2025 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech iView < v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-iviewiView
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • Next
Details not found