CVE-2020-37147
SQL Injection in ATutor 2.2.4 Admin User Deletion
Publication date: 2026-02-07
Last updated on: 2026-02-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| atutor | atutor | to 2.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2020-37147 is a SQL injection vulnerability found in ATutor version 2.2.4, specifically in the admin user deletion page. It occurs because the 'id' parameter in the admin_delete.php script is not properly sanitized, allowing authenticated attackers to inject malicious SQL code."}, {'type': 'paragraph', 'content': "By exploiting this vulnerability, an attacker who has admin-level access can manipulate database queries through the 'id' parameter, potentially extracting or modifying sensitive database information."}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with admin privileges to execute arbitrary SQL commands on the database. This can lead to unauthorized access, extraction, or modification of sensitive data stored in the database.
Such unauthorized database manipulation can compromise the integrity and confidentiality of the data, potentially affecting the operation of the ATutor system and exposing sensitive user information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This SQL injection vulnerability in ATutor 2.2.4 can be detected by attempting to inject SQL code into the 'id' parameter of the admin_delete.php script while authenticated as an admin user."}, {'type': 'paragraph', 'content': 'One practical method is to use automated SQL injection tools such as SQLMAP to test the vulnerability by targeting the URL parameter.'}, {'type': 'list_item', 'content': 'Log in as an admin user to the ATutor application.'}, {'type': 'list_item', 'content': 'Run a command similar to: sqlmap -u "http://<target>/atutor/mods/_core/users/admin_delete.php?id=17" --cookie="<admin_session_cookie>" --user-agent="Mozilla/5.0" --dbms=mysql'}, {'type': 'paragraph', 'content': "This command tests the 'id' parameter for SQL injection by sending crafted payloads and requires specifying a valid User-Agent header and authentication cookie to avoid errors."}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the admin_delete.php script to only trusted and authenticated administrators.
Ensure that user input, especially the 'id' parameter, is properly sanitized and validated before being used in SQL queries.
If possible, apply patches or updates provided by ATutor that address this vulnerability.
As a temporary measure, monitor and restrict HTTP requests to the vulnerable URL to prevent exploitation.