CyberSec.Space Logo
Back to CVE Browser

CVE-2019-13294

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0120%
EPSS Percentile18.73th
PublishedJul 4, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.

Affected Platforms (CPE)

πŸ“¦
Arox

School Erp

All versions

References & Advisories

πŸ”— http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html
πŸ”— https://www.exploit-db.com/exploits/46999
πŸ”— http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html
πŸ”— https://www.exploit-db.com/exploits/46999

Related Vulnerabilities

CVE-2017-159789.8

AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.

CVE-2020-370909.8

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system...

CVE-2020-370898.2

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate dat...

CVE-2020-370887.5

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manip...