CVE-2020-37110 in 60CycleCMS
Summary
by MITRE • 02/03/2026
60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2020-37110 affects 60CycleCMS version 2.5.2 and represents a critical SQL injection flaw that undermines the application's database security. This vulnerability exists within two key files: news.php and common/lib.php, making it particularly dangerous as it affects core content management functionality and underlying library operations. The flaw stems from insufficient input validation mechanisms that fail to properly sanitize user-supplied data before incorporating it into database queries, creating an exploitable pathway for malicious actors to manipulate the application's backend database systems.
The technical implementation of this vulnerability allows attackers to inject malicious SQL code through specific query parameters, most notably the 'title' parameter which is commonly used in content management operations. When user input is directly concatenated into SQL statements without proper sanitization or parameterization, attackers can craft payloads that alter the intended query behavior. This enables unauthorized data extraction, modification, or deletion operations against the underlying database, potentially compromising the entire content management system's integrity. The vulnerability operates at the application layer and does not involve client-side scripting attacks, making it distinct from XSS vulnerabilities but equally damaging to database security.
The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could lead to complete system compromise and unauthorized administrative access. Attackers can leverage the SQL injection to escalate privileges, bypass authentication mechanisms, and potentially gain persistence within the compromised environment. The vulnerability affects the core functionality of 60CycleCMS, which may result in service disruption, data corruption, or complete system takeover depending on the attacker's objectives and the database configuration. Organizations relying on this CMS version face significant risk of data breaches and regulatory compliance violations, particularly in environments where sensitive information is stored within the database.
Security mitigation strategies for CVE-2020-37110 should prioritize immediate patching of the 60CycleCMS application to version 2.5.3 or later, which contains the necessary fixes for the SQL injection vulnerability. Organizations should implement proper input validation and parameterized query construction across all database interactions, following established security best practices and standards such as those outlined in the CWE-89 category for SQL injection vulnerabilities. The ATT&CK framework categorizes this vulnerability under the T1190 technique for exploitation of remote services, emphasizing the need for network segmentation and application firewalls to limit attack surface. Additionally, database access controls should be reviewed and strengthened, ensuring that applications use least-privilege accounts with minimal necessary database permissions to limit the potential damage from successful exploitation attempts.