CVE-2020-37147

HIGH

ATutor 2.2.4 - Authenticated SQL Injection via Admin User Deletion ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37147. PoCs published by Andrey Stoykov.

AI-analyzed exploit summary This is a writeup describing an SQL injection vulnerability in ATutor 2.2.4, specifically in the 'id' parameter of the admin_delete.php script. It provides steps to reproduce the vulnerability and suggests using SQLMAP for exploitation.

Description

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.

Exploits (1)

exploitdb WRITEUP
by Andrey Stoykov · textwebappsphp
https://www.exploit-db.com/exploits/48117

This is a writeup describing an SQL injection vulnerability in ATutor 2.2.4, specifically in the 'id' parameter of the admin_delete.php script. It provides steps to reproduce the vulnerability and suggests using SQLMAP for exploitation.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: ATutor 2.2.4
Auth required
Prerequisites: Admin credentials · Valid session cookie
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48117
Various Sources product
https://atutor.github.io/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/atutor-id-sql-injection

Scores

CVSS v3 7.1
EPSS 0.0028
EPSS Percentile 19.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Atutor/ATutor 2.2.4
Published Feb 07, 2026
Tracked Since Feb 18, 2026