{"api_version":"1","generated_at":"2026-04-23T16:54:17+00:00","cve":"CVE-2020-25760","urls":{"html":"https://cve.report/CVE-2020-25760","api":"https://cve.report/api/cve/CVE-2020-25760.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-25760","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-25760"},"summary":{"title":"CVE-2020-25760","description":"Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-09-30 18:15:00","updated_at":"2022-01-01 18:40:00"},"problem_types":["CWE-89"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/159262/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html","name":"http://packetstormsecurity.com/files/159262/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html","refsource":"MISC","tags":["Third Party Advisory","VDB Entry"],"title":"Visitor Management System In PHP 1.0 SQL Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2020/Sep/43","name":"20200922 Visitor Management System in PHP 1.0 - Authenticated SQL Injection","refsource":"FULLDISC","tags":["Exploit","Mailing List","Third Party Advisory"],"title":"Full Disclosure: Visitor Management System in PHP 1.0 - Authenticated SQL\tInjection","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/159637/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html","name":"http://packetstormsecurity.com/files/159637/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html","refsource":"MISC","tags":[],"title":"Visitor Management System In PHP 1.0 SQL Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://packetstormsecurity.com/files/author/15149/","name":"https://packetstormsecurity.com/files/author/15149/","refsource":"MISC","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Files from Rahul Ramkumar ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-25760","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25760","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"25760","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"projectworlds","cpe5":"visitor_management_system_in_php","cpe6":"1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25760","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"projectworlds","cpe5":"visitor_management_system_in_php","cpe6":"1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-25760","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"FULLDISC","name":"20200922 Visitor Management System in PHP 1.0 - Authenticated SQL Injection","url":"http://seclists.org/fulldisclosure/2020/Sep/43"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/159262/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html","url":"http://packetstormsecurity.com/files/159262/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html"},{"refsource":"MISC","name":"https://packetstormsecurity.com/files/author/15149/","url":"https://packetstormsecurity.com/files/author/15149/"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/159637/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html","url":"http://packetstormsecurity.com/files/159637/Visitor-Management-System-In-PHP-1.0-SQL-Injection.html"}]}},"nvd":{"publishedDate":"2020-09-30 18:15:00","lastModifiedDate":"2022-01-01 18:40:00","problem_types":["CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:projectworlds:visitor_management_system_in_php:1.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"25760","Ordinal":"187178","Title":"CVE-2020-25760","CVE":"CVE-2020-25760","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"25760","Ordinal":"1","NoteData":"Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"25760","Ordinal":"2","NoteData":"2020-09-29","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"25760","Ordinal":"3","NoteData":"2020-10-20","Type":"Other","Title":"Modified"}]}}}