CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2019-13294

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0120%
EPSS Percentile18.73th
Published2019年7月4日
Last Modified2024年11月21日

Vulnerability Description

AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.

Affected Platforms (CPE)

📦
Arox

School Erp

All versions

References & Advisories

🔗 http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html
🔗 https://www.exploit-db.com/exploits/46999
🔗 http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html
🔗 https://www.exploit-db.com/exploits/46999

相關漏洞威脅

CVE-2017-159789.8

AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.

CVE-2020-370909.8

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system...

CVE-2020-370898.2

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate dat...

CVE-2020-370887.5

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manip...