PT-2026-5834 · Unknown · School Erp Pro
Published
2026-02-03
·
Updated
2026-02-10
·
CVE-2020-37084
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
School ERP Pro version 1.0
Description
School ERP Pro version 1.0 has a flaw that permits authenticated administrators to upload arbitrary PHP files as profile pictures, circumventing file extension validation. This is due to inadequate file validation within the
pre-editstudent.inc.php file. An attacker can leverage this to execute code on the server. The vulnerable component is the file upload functionality for admin profile photos. The affected API endpoint is not explicitly mentioned. The vulnerable parameter is the profile photo upload field.Recommendations
Apply updates to address improper file validation in
pre-editstudent.inc.php.Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
School Erp Pro