CVE-2020-37089
Published: 03 February 2026
Summary
CVE-2020-37089 is a high-severity SQL Injection (CWE-89) vulnerability in Arox School Erp Pro. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37089 is a SQL injection vulnerability (CWE-89) affecting School ERP Pro 1.0, specifically in the 'es_messagesid' parameter. The flaw enables attackers to manipulate database queries through GET requests by injecting crafted SQL statements.
Remote unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction required, consistent with its CVSS 3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Exploitation allows potential extraction of sensitive database information (high confidentiality impact), limited modification of data (low integrity impact), and deletion of database records.
Advisories and related resources include a VulnCheck advisory on the School ERP Pro esmessagesid SQL injection, an Exploit-DB proof-of-concept (exploit 48390), and archived project pages from SourceForge (School ERP Ultimate) and arox.in. No specific patches or mitigations are detailed in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31006
Vulnerability details
School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete…
more
database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (School ERP Pro) directly enables remote exploitation of the application for data access/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of the 'es_messagesid' parameter to ensure only legitimate inputs reach database queries.
Mandates timely identification, reporting, and correction of the SQL injection flaw in School ERP Pro 1.0.
Boundary protection with web application firewalls can inspect and block crafted SQL payloads in GET requests targeting the vulnerable parameter.