CVE-2020-37084

High CVSS: 8.6

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server.

Vendor

Arox

Product

School Erp Pro

CWE

CWE-434

Yayın Tarihi

2026-02-03 23:16:04

Güncelleme

2026-02-10 16:59:24

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-434 School Erp Pro HIGH Arox 2026

Referanslar

https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/ https://web.archive.org/web/20200129123503/http://arox.in/ https://www.exploit-db.com/exploits/48392 https://www.vulncheck.com/advisories/school-erp-pro-admin-profile-photo-upload-remote-code-execution-vulnerability

Benzer Kayıtlar

High

CVE-2020-37090

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messag…

High

CVE-2020-37088

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary file…

High

CVE-2020-37089

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to mani…