CVE-2020-37147

Vulnerability

Overview

CVE-2020-37147 describes a SQL injection vulnerability in ATutor 2.2.4, an open-source learning management system. The flaw resides in the admin_delete.php script, specifically within the admin user deletion page. The 'id' parameter is not properly sanitized before being used in database queries, allowing an authenticated attacker to inject arbitrary SQL statements [1][2].

Exploitation

An attacker must be authenticated as an administrator to reach the vulnerable page. By manipulating the 'id' parameter in the URL (e.g., http:///atutor/mods/_core/users/admin_delete.php?id=17'), the attacker can inject malicious SQL code. Public exploit code demonstrates using tools like sqlmap with a valid User-Agent to automate the exploitation against a MySQL backend [3].

Impact

Successful exploitation enables an attacker to extract sensitive information from the database, such as user credentials or course data, and potentially modify or delete records. The CVSS v3 base score of 7.1 (High) reflects the significant impact on confidentiality and integrity, though the attack requires prior authentication [2].

Mitigation

As of the latest available information, ATutor 2.2.4 is the affected version. No patch has been released; administrators should restrict access to admin endpoints, apply input validation, or upgrade to a newer version if available. The vendor's website still lists 2.2.4 as the current release [1].