CVE-2020-37089

HighPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0004 12.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37089 is a high-severity SQL Injection (CWE-89) vulnerability in Arox School Erp Pro. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of the 'es_messagesid' parameter to ensure only legitimate inputs reach database queries.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the SQL injection flaw in School ERP Pro 1.0.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls can inspect and block crafted SQL payloads in GET requests targeting the vulnerable parameter.

NVD Description

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete…

database information.

Deeper analysisAI

CVE-2020-37089 is a SQL injection vulnerability (CWE-89) affecting School ERP Pro 1.0, specifically in the 'es_messagesid' parameter. The flaw enables attackers to manipulate database queries through GET requests by injecting crafted SQL statements.

Remote unauthenticated attackers can exploit this vulnerability with low attack complexity and no user interaction required, consistent with its CVSS 3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Exploitation allows potential extraction of sensitive database information (high confidentiality impact), limited modification of data (low integrity impact), and deletion of database records.

Advisories and related resources include a VulnCheck advisory on the School ERP Pro esmessagesid SQL injection, an Exploit-DB proof-of-concept (exploit 48390), and archived project pages from SourceForge (School ERP Ultimate) and arox.in. No specific patches or mitigations are detailed in the provided information.