Cyber Resilience

CVE-2020-37084

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0081 52.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37084 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Arox School Erp Pro. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2020-37084 is a remote code execution vulnerability affecting School ERP Pro 1.0. The flaw arises from improper file validation in the pre-editstudent.inc.php component, which allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. It is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An authenticated administrator can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation enables the attacker to execute arbitrary code on the server, potentially leading to full compromise of the affected system with high impacts on confidentiality, integrity, and availability.

Advisories and exploit details are available in provided references, including an Exploit-DB entry (48392) demonstrating the profile photo upload for RCE and a Vulncheck advisory on the School ERP Pro admin profile photo upload vulnerability. Archived project pages from SourceForge and arox.in are also referenced, though no specific patches or mitigation steps are detailed in the CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code…

more

on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted PHP file upload (CWE-434) in a web app directly enables web shell deployment (T1505.003) for RCE and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37090Same product: Arox School Erp Pro
CVE-2020-37089Same product: Arox School Erp Pro
CVE-2020-37088Same product: Arox School Erp Pro
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434

Affected Assets

arox
school erp pro
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file content and type on upload, blocking the arbitrary PHP file bypass in pre-editstudent.inc.php.

preventdetect

Requires malicious-code scanning and blocking of uploaded files before they can be stored or executed as profile photos.

prevent

Restricts system functionality to prohibit execution of uploaded scripts or storage of dangerous file types in web directories.

References