Cyber Resilience

CVE-2020-37147

HighPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37147 is a high-severity SQL Injection (CWE-89) vulnerability in Github (inferred from references). Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-37147 is a SQL injection vulnerability (CWE-89) affecting ATutor 2.2.4, an open-source learning management system. The flaw exists in the admin user deletion page, specifically within the admin_delete.php script, where the 'id' parameter fails to properly sanitize user input. This allows attackers to inject malicious SQL code, manipulating database queries to extract or modify information.

The vulnerability can be exploited by authenticated attackers with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N), resulting in an unchanged scope (S:U). Successful exploitation provides high confidentiality impact (C:H), enabling data extraction, and low integrity impact (I:L) for potential modifications, with no availability impact (A:N). The CVSS v3.1 base score is 7.1.

Mitigation guidance and further details are available in referenced advisories, including the ATutor GitHub page (https://atutor.github.io/), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48117), and a VulnCheck advisory (https://www.vulncheck.com/advisories/atutor-id-sql-injection). Security practitioners should review these resources for patching instructions or input validation recommendations.

EU & UK References

Vulnerability details

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of…

more

the admin_delete.php script to potentially extract or modify database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a network-accessible web application (ATutor admin page) directly enables remote exploitation of a public-facing app for data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the 'id' parameter in admin_delete.php to block malicious SQL syntax before query execution.

prevent

Mandates timely patching or code fixes for the unsanitized input flaw in ATutor 2.2.4 that enables the SQL injection.

prevent

Restricts the authenticated attacker's privileges so that even a successful injection on the admin deletion page yields minimal database impact.

References