CVE-2020-37105 | THREATINT

Description

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

PUBLISHED Reserved 2026-02-01 | Published 2026-02-03 | Updated 2026-02-06 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

5.6

affected

Credits

41-trk (Tarik Bakir) finder

References

www.exploit-db.com/exploits/48356 (ExploitDB-48356) exploit

www.sigb.net (Vendor Homepage) product

forge.sigb.net/redmine/projects/pmb/files (Software Download Repository) product

www.vulncheck.com/advisories/pmb-logid-sql-injection (VulnCheck Advisory: PMB 5.6 - 'logid' SQL Injection) third-party-advisory

cve.org (CVE-2020-37105)

nvd.nist.gov (CVE-2020-37105)

Download JSON