Cyber Resilience

CVE-2020-37089

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37089 is a high-severity SQL Injection (CWE-89) vulnerability in Arox School Erp Pro. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-37089 is a SQL injection vulnerability (CWE-89) affecting School ERP Pro 1.0, specifically in the 'es_messagesid' parameter. The flaw enables attackers to manipulate database queries through GET requests by injecting crafted SQL statements.

Remote unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction required, consistent with its CVSS 3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Exploitation allows potential extraction of sensitive database information (high confidentiality impact), limited modification of data (low integrity impact), and deletion of database records.

Advisories and related resources include a VulnCheck advisory on the School ERP Pro esmessagesid SQL injection, an Exploit-DB proof-of-concept (exploit 48390), and archived project pages from SourceForge (School ERP Ultimate) and arox.in. No specific patches or mitigations are detailed in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete…

more

database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing web app (School ERP Pro) directly enables remote exploitation of the application for data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37090Same product: Arox School Erp Pro
CVE-2020-37084Same product: Arox School Erp Pro
CVE-2020-37088Same product: Arox School Erp Pro
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89

Affected Assets

arox
school erp pro
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of the 'es_messagesid' parameter to ensure only legitimate inputs reach database queries.

prevent

Mandates timely identification, reporting, and correction of the SQL injection flaw in School ERP Pro 1.0.

preventdetect

Boundary protection with web application firewalls can inspect and block crafted SQL payloads in GET requests targeting the vulnerable parameter.

References