CVE-2020-37090

Published: Feb 3, 2026Modified: Feb 10, 2026

8.7

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.

Affected (1)

Products: Arox: School Erp Pro

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Arox School Erp Pro	Version 1.0

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/

Source: disclosure@vulncheck.com

Product

https://web.archive.org/web/20200129123503/http://arox.in/

Source: disclosure@vulncheck.com

Product

https://www.exploit-db.com/exploits/48392

Source: disclosure@vulncheck.com

ExploitThird Party AdvisoryVDB Entry

https://www.vulncheck.com/advisories/school-erp-pro-remote-code-execution

Source: disclosure@vulncheck.com

Third Party Advisory

Timeline

No history available yet.