CVE-2020-37090

Name of the Vulnerable Software and Affected Versions School ERP Pro version 1.0

Description School ERP Pro 1.0 has a file upload issue that permits students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts via the message attachment feature, leading to remote code execution on the server. The vulnerable feature is the message attachment functionality, which does not properly validate uploaded files. The affected API endpoint is the messaging system's file upload function. The vulnerable parameter is the file attachment, file.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.