CyberSec.Space Logo
Back to CVE Browser

CVE-2020-37088

HIGH
7.5
CVSS Severity Score
EPSS Score0.1240%
EPSS Percentile31.82th
PublishedFeb 3, 2026
Last ModifiedFeb 10, 2026

Vulnerability Description

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information.

Affected Platforms (CPE)

πŸ“¦
Arox

School Erp Pro

= 1.0

References & Advisories

πŸ”— https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/
πŸ”— https://web.archive.org/web/20200129123503/http://arox.in/
πŸ”— https://www.exploit-db.com/exploits/48394
πŸ”— https://www.vulncheck.com/advisories/school-erp-pro-arbitrary-file-read

Related Vulnerabilities

CVE-2019-132949.8

AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. There...

CVE-2020-370909.8

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system...

CVE-2020-370898.2

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate dat...

CVE-2020-370847.2

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP fi...

CVE-2020-37088 Detail & Impact Analysis | CVSS 7.5 (HIGH) | Cyber-Sec.Space | Cyber-Sec.Space