CyberSec.Space Logo
Back to CVE Browser

CVE-2020-37084

HIGH
7.2
CVSS Severity Score
EPSS Score0.1110%
EPSS Percentile2.76th
PublishedFeb 3, 2026
Last ModifiedFeb 10, 2026

Vulnerability Description

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server.

Affected Platforms (CPE)

πŸ“¦
Arox

School Erp Pro

= 1.0

References & Advisories

πŸ”— https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/
πŸ”— https://web.archive.org/web/20200129123503/http://arox.in/
πŸ”— https://www.exploit-db.com/exploits/48392
πŸ”— https://www.vulncheck.com/advisories/school-erp-pro-admin-profile-photo-upload-remote-code-execution-vulnerability

Related Vulnerabilities

CVE-2019-132949.8

AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. There...

CVE-2020-370909.8

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system...

CVE-2020-370898.2

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate dat...

CVE-2020-370887.5

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manip...