CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2020-37089

HIGH
8.2
CVSS Severity Score
EPSS Score0.0650%
EPSS Percentile19.30th
Published2026年2月3日
Last Modified2026年2月10日

Vulnerability Description

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information.

Affected Platforms (CPE)

📦
Arox

School Erp Pro

= 1.0

References & Advisories

🔗 https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/
🔗 https://web.archive.org/web/20200129123503/http://arox.in/
🔗 https://www.exploit-db.com/exploits/48390
🔗 https://www.vulncheck.com/advisories/school-erp-pro-esmessagesid-sql-injection

相關漏洞威脅

CVE-2019-132949.8

AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. There...

CVE-2020-370909.8

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system...

CVE-2020-370887.5

School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manip...

CVE-2020-370847.2

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP fi...