CVE-2020-37147
Unknown Unknown - Not Provided
SQL Injection in ATutor 2.2.4 Admin User Deletion

Publication date: 2026-02-07

Last updated on: 2026-02-07

Assigner: VulnCheck

Description
ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-02-07
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37147
EUVD
EUVD-2020-31106
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
atutor atutor to 2.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2020-37147 is a SQL injection vulnerability found in ATutor version 2.2.4, specifically in the admin user deletion page. It occurs because the 'id' parameter in the admin_delete.php script is not properly sanitized, allowing authenticated attackers to inject malicious SQL code."}, {'type': 'paragraph', 'content': "By exploiting this vulnerability, an attacker who has admin-level access can manipulate database queries through the 'id' parameter, potentially extracting or modifying sensitive database information."}] [2, 3]

Impact Analysis

This vulnerability can allow an authenticated attacker with admin privileges to execute arbitrary SQL commands on the database. This can lead to unauthorized access, extraction, or modification of sensitive data stored in the database.

Such unauthorized database manipulation can compromise the integrity and confidentiality of the data, potentially affecting the operation of the ATutor system and exposing sensitive user information.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This SQL injection vulnerability in ATutor 2.2.4 can be detected by attempting to inject SQL code into the 'id' parameter of the admin_delete.php script while authenticated as an admin user."}, {'type': 'paragraph', 'content': 'One practical method is to use automated SQL injection tools such as SQLMAP to test the vulnerability by targeting the URL parameter.'}, {'type': 'list_item', 'content': 'Log in as an admin user to the ATutor application.'}, {'type': 'list_item', 'content': 'Run a command similar to: sqlmap -u "http://<target>/atutor/mods/_core/users/admin_delete.php?id=17" --cookie="<admin_session_cookie>" --user-agent="Mozilla/5.0" --dbms=mysql'}, {'type': 'paragraph', 'content': "This command tests the 'id' parameter for SQL injection by sending crafted payloads and requires specifying a valid User-Agent header and authentication cookie to avoid errors."}] [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the admin_delete.php script to only trusted and authenticated administrators.

Ensure that user input, especially the 'id' parameter, is properly sanitized and validated before being used in SQL queries.

If possible, apply patches or updates provided by ATutor that address this vulnerability.

As a temporary measure, monitor and restrict HTTP requests to the vulnerable URL to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart