CVE-2020-37163
8.2 HIGHPublished 2026-02-07 · Modified 2026-02-09 · Awaiting Analysis
Quick Summary
A vulnerability in QuickDate 1.3.2 allows attackers to send specially crafted data to the application, which can trick the database into running unauthorized commands. This matters because it directly threatens the security of all data stored by the application.
Who is affected
All users running QuickDate 1.3.2 are affected. An attacker could steal sensitive information like usernames, passwords, and other private database contents.
Recommended fix
Immediately upgrade QuickDate to a patched version. If an update is not available, implement strict input validation and use parameterized queries for the 'find_matches' endpoint.
Technical Description
QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the '_located' parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, database name, and system version.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE
CWE-89