School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server.
References
| Link | Resource |
|---|---|
| https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/ | Product |
| https://web.archive.org/web/20200129123503/http://arox.in/ | Product |
| https://www.exploit-db.com/exploits/48392 | Exploit Third Party Advisory VDB Entry |
| https://www.vulncheck.com/advisories/school-erp-pro-admin-profile-photo-upload-remote-code-execution-vulnerability | Third Party Advisory |
Configurations
History
10 Feb 2026, 16:59
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:arox:school_erp_pro:1.0:*:*:*:*:*:*:* | |
| First Time |
Arox school Erp Pro
Arox |
|
| References | () https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/ - Product | |
| References | () https://web.archive.org/web/20200129123503/http://arox.in/ - Product | |
| References | () https://www.exploit-db.com/exploits/48392 - Exploit, Third Party Advisory, VDB Entry | |
| References | () https://www.vulncheck.com/advisories/school-erp-pro-admin-profile-photo-upload-remote-code-execution-vulnerability - Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
03 Feb 2026, 23:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-03 23:16
Updated : 2026-02-10 16:59
NVD link : CVE-2020-37084
Mitre link : CVE-2020-37084
CVE.ORG link : CVE-2020-37084
JSON object : View
Products Affected
arox
- school_erp_pro
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type