CVE-2020-8656: 
EyesOfNetwork vulnerability analysis and mitigation

An SQL injection vulnerability was discovered in EyesOfNetwork version 5.3, specifically affecting the EyesOfNetwork API 2.4.2. The vulnerability was identified and disclosed on February 5, 2020, and is tracked as CVE-2020-8656. The vulnerability allows unauthenticated attackers to perform SQL injection attacks through the username field in the getApiKey function of include/api_functions.php (CVE Details).

The vulnerability exists in the username parameter of the getApiKey function within the EyesOfNetwork API 2.4.2. Attackers can exploit this by injecting SQL commands into the username field, which can lead to authentication bypass. A proof of concept demonstrates that the injection can be performed using SQL UNION SELECT statements with the sleep function, for example: '/eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '' (GitHub Issue).

The SQL injection vulnerability allows unauthenticated attackers to bypass authentication mechanisms and potentially access sensitive information from the database. This could lead to unauthorized access to the system and compromise of system security (CVE Details).