How to fix CVE-2020-37147?

Within 24 hours: Audit all admin accounts with user deletion privileges and review recent deletion activity logs for anomalies. Within 7 days: Implement network segmentation to restrict admin interface access to trusted IP ranges and enforce multi-factor authentication for administrative accounts. Within 30 days: Evaluate upgrade feasibility to a patched version or decommission ATutor if not operationally critical; if retention is necessary, deploy a Web Application Firewall (WAF) with SQL injection detection rules targeting the user deletion endpoint.

Is PHP affected by CVE-2020-37147?

ATutor 2.2.4 installations contain a SQL injection vulnerability in the admin user management interface that could allow authenticated administrators with malicious intent to manipulate or exfiltrate sensitive database records.

CVE-2020-37147

HIGH

2026-02-07 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 09, 2026 - 16:08 vuln.today

Public exploit code

CVE Published

Feb 07, 2026 - 00:15 nvd

HIGH 7.1

Description

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.

Analysis

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. [CVSS 7.1 HIGH]

Technical Context

Classified as CWE-89 (SQL Injection). Affects admin user deletion page. ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.

Affected Products

Product: admin user deletion page.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: +20

CVE-2020-37147 vulnerability details – vuln.today

Back

CVE-2020-37147

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2020-37147

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code