Arox

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-37084 1Arox 1School Erp Pro Feb 10, 2026 Feb 3, 2026 8.6 HIGH· v4 7.2 HIGH· v3 N/A· v2 School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper f...Show more School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server.Show less
CVE-2020-37090 1Arox 1School Erp Pro Feb 10, 2026 Feb 3, 2026 8.7 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabl...Show more School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.Show less
CVE-2020-37089 1Arox 1School Erp Pro Feb 10, 2026 Feb 3, 2026 7.1 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by inje...Show more School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information.Show less
CVE-2020-37088 1Arox 1School Erp Pro Feb 10, 2026 Feb 3, 2026 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configura...Show more School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information.Show less
CVE-2024-4824 1Arox 1School Erp Pro+responsive Oct 23, 2025 May 14, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/office_admin/' index in the parameters groups_id, examname, classes_id, es_voucherid, es_class, etc. This vulnerability cou...Show more Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/office_admin/' index in the parameters groups_id, examname, classes_id, es_voucherid, es_class, etc. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the database.Show less
CVE-2024-4823 1Arox 1School Erp Pro+responsive Oct 23, 2025 May 14, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker coul...Show more Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.Show less
CVE-2024-4822 1Arox 1School Erp Pro+responsive Oct 23, 2025 May 14, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the username and password parameters in '/index.php'. This vulnerability allows an attacker to partially take control of the victim's browser session.
CVE-2022-32119 1Arox 1School Erp Pro Nov 21, 2024 Jul 15, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.
CVE-2022-32118 1Arox 1School Erp Pro Nov 21, 2024 Jul 15, 2022 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.
CVE-2020-8505 1Arox 1School Management Software Php/mysql Nov 21, 2024 Jan 31, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user.
CVE-2020-8504 1Arox 1School Management Software Php/mysql Nov 21, 2024 Jan 31, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user.
CVE-2019-13294 1Arox 1School Erp Nov 21, 2024 Jul 4, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.
CVE-2017-15978 1Arox 1School Erp Php Script May 13, 2026 Oct 31, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.