CVE-2020-37147
Published: 07 February 2026
Summary
CVE-2020-37147 is a high-severity SQL Injection (CWE-89) vulnerability in Github (inferred from references). Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37147 is a SQL injection vulnerability (CWE-89) affecting ATutor 2.2.4, an open-source learning management system. The flaw exists in the admin user deletion page, specifically within the admin_delete.php script, where the 'id' parameter fails to properly sanitize user input. This allows attackers to inject malicious SQL code, manipulating database queries to extract or modify information.
The vulnerability can be exploited by authenticated attackers with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N), resulting in an unchanged scope (S:U). Successful exploitation provides high confidentiality impact (C:H), enabling data extraction, and low integrity impact (I:L) for potential modifications, with no availability impact (A:N). The CVSS v3.1 base score is 7.1.
Mitigation guidance and further details are available in referenced advisories, including the ATutor GitHub page (https://atutor.github.io/), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48117), and a VulnCheck advisory (https://www.vulncheck.com/advisories/atutor-id-sql-injection). Security practitioners should review these resources for patching instructions or input validation recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31106
Vulnerability details
ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of…
more
the admin_delete.php script to potentially extract or modify database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web application (ATutor admin page) directly enables remote exploitation of a public-facing app for data access/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'id' parameter in admin_delete.php to block malicious SQL syntax before query execution.
Mandates timely patching or code fixes for the unsanitized input flaw in ATutor 2.2.4 that enables the SQL injection.
Restricts the authenticated attacker's privileges so that even a successful injection on the admin deletion page yields minimal database impact.