CVE-2020-37088

High CVSS: 8.7

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information.

Vendor

Arox

Product

School Erp Pro

CWE

CWE-22

Yayın Tarihi

2026-02-03 22:16:24

Güncelleme

2026-02-10 17:03:53

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-22 School Erp Pro HIGH Arox 2026

Referanslar

https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/ https://web.archive.org/web/20200129123503/http://arox.in/ https://www.exploit-db.com/exploits/48394 https://www.vulncheck.com/advisories/school-erp-pro-arbitrary-file-read

Benzer Kayıtlar

High

CVE-2020-37084

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitr…

High

CVE-2020-37090

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messag…

High

CVE-2020-37089

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to mani…