QwikSec

Security Database

CVE

CWE

Training

CVE-2020-37084

Published: Feb 3, 2026

Modified: Mar 5, 2026

PUBLISHED

Description

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server.

Vendor	Product	Versions
Arox	School ERP Pro	affected `1.0`

Weaknesses (CWE)

References

ExploitDB-48392

exploit

technical-description

Archived Vendor Homepage

product

Archived SourceForge Product Page

product

VulnCheck Advisory: School ERP Pro 1.0 Admin Profile Photo Upload Remote Code Execution Vulnerability

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.