49 matches found
CVE-2020-37090
School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server...
CVE-2020-37089
School ERP Pro 1.0 contains a SQL injection vulnerability in the 'esmessagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete databas...
CVE-2020-37088
School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system...
CVE-2020-37088
School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system...
CVE-2020-37084 School ERP Pro 1.0 Admin Profile Photo Upload Remote Code Execution Vulnerability
School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the...
CVE-2020-37089 School ERP Pro 1.0 - 'es_messagesid' SQL Injection
School ERP Pro 1.0 contains a SQL injection vulnerability in the 'esmessagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete databas...
CVE-2020-37089
School ERP Pro 1.0 contains a SQL injection vulnerability in the 'esmessagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete databas...
CVE-2020-37090 School ERP Pro 1.0 - Remote Code Execution
School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server...
CVE-2020-37089
CVE-2020-37089 concerns School ERP Pro 1.0 with a SQL injection in the es_messagesid parameter. The vulnerability can be exploited by sending crafted SQL via GET requests , potentially allowing attackers to extract, modify, or delete data . Root cause: improper handling of user-controlled input i...
CVE-2020-37090
School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server...
CVE-2020-37088
School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the 'document' parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system...
PT-2026-5834
Name of the Vulnerable Software and Affected Versions School ERP Pro version 1.0 Description School ERP Pro version 1.0 has a flaw that permits authenticated administrators to upload arbitrary PHP files as profile pictures, circumventing file extension validation. This is due to inadequate file...
PT-2026-5840
Name of the Vulnerable Software and Affected Versions School ERP Pro version 1.0 Description School ERP Pro 1.0 has a file upload issue that permits students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts via the message attachment feature, leadi...
Arox School ERP Pro SQL注入漏洞
Arox School ERP Pro is a one-stop automation management platform offered by Arox Corporation. Version 1.0 of School ERP Pro has a SQL injection vulnerability. This vulnerability stems from the esmessagesid parameter, which allows attackers to inject custom SQL statements through GET requests. As ...
PT-2026-5839
Name of the Vulnerable Software and Affected Versions School ERP Pro version 1.0 Description School ERP Pro version 1.0 contains a SQL injection issue in the es messagesid parameter. Attackers can manipulate database queries through GET requests by injecting crafted SQL statements. This could all...
EUVD-2024-44413
Malicious code in bioql PyPI...
CVE-2022-32119
Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1financemaster.inc.php...
CVE-2019-13294
AROX School-ERP Pro has a command execution vulnerability. importstud.php and uploadfille.php do not have session control. Therefore an unauthenticated user can execute a command on the system...
CVE-2024-4824
Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/officeadmin/' index in the parameters groupsid, examname, classesid, esvoucherid, esclass, etc. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and...
CVE-2024-4823
Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/officeadmin/' in the parameters esbankacc, esbankname, esbankpin, escheckno, estellernumber, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially...