CVE-2020-37004

Name of the Vulnerable Software and Affected Versions Ultimate Project Manager CRM PRO version 2.0.5

Description A blind SQL injection allows attackers to extract usernames and password hashes from the tbl users database table. This is achieved by crafting malicious search parameters at the '/frontend/get article suggestion/' endpoint to retrieve user credentials using boolean-based inference techniques, where the attacker determines data by observing whether the application returns a true or false response.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.