ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.
PUBLISHED5.2CWE-89
ATutor 2.2.4 - 'id' SQL Injection
Problem type
Affected products
Atutor
ATutor
2.2.4 - AFFECTED
References
ExploitDB-48117
https://www.exploit-db.com/exploits/48117
ATutor Official Homepage
https://atutor.github.io/
VulnCheck Advisory: ATutor 2.2.4 - 'id' SQL Injection
https://www.vulncheck.com/advisories/atutor-id-sql-injection
GitHub Security Advisories
GHSA-qhqf-2vhv-8929
ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows...
https://github.com/advisories/GHSA-qhqf-2vhv-8929ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2020-37147Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2020-37147",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-06T23:14:08.356Z",
"dateReserved": "2026-02-03T16:27:45.309Z",
"datePublished": "2026-02-06T23:14:08.356Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-06T23:14:08.356Z"
},
"datePublic": "2020-02-23T00:00:00.000Z",
"title": "ATutor 2.2.4 - 'id' SQL Injection",
"descriptions": [
{
"lang": "en",
"value": "ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information."
}
],
"affected": [
{
"vendor": "Atutor",
"product": "ATutor",
"versions": [
{
"version": "2.2.4",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"cweId": "CWE-89",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/48117",
"name": "ExploitDB-48117",
"tags": [
"exploit"
]
},
{
"url": "https://atutor.github.io/",
"name": "ATutor Official Homepage",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/atutor-id-sql-injection",
"name": "VulnCheck Advisory: ATutor 2.2.4 - 'id' SQL Injection",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH"
}
}
],
"credits": [
{
"lang": "en",
"value": "Andrey Stoykov",
"type": "finder"
}
]
}
}
}