CVE-2020-37084
Published: 03 February 2026
Summary
CVE-2020-37084 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Arox School Erp Pro. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.
NVD Description
School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code…
more
on the server.
Deeper analysisAI
CVE-2020-37084 is a remote code execution vulnerability affecting School ERP Pro 1.0. The flaw arises from improper file validation in the pre-editstudent.inc.php component, which allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. It is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An authenticated administrator can exploit this vulnerability remotely with low attack complexity and no user interaction required. Successful exploitation enables the attacker to execute arbitrary code on the server, potentially leading to full compromise of the affected system with high impacts on confidentiality, integrity, and availability.
Advisories and exploit details are available in provided references, including an Exploit-DB entry (48392) demonstrating the profile photo upload for RCE and a Vulncheck advisory on the School ERP Pro admin profile photo upload vulnerability. Archived project pages from SourceForge and arox.in are also referenced, though no specific patches or mitigation steps are detailed in the CVE information.
Details
- CWE(s)