CVE-2020-37090 in School ERP Pro
Summary
by MITRE • 02/04/2026
School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2020-37090 resides within School ERP Pro version 1.0, a web-based educational management system designed for schools and educational institutions. This particular weakness represents a critical security flaw that directly compromises the integrity and confidentiality of the affected system. The vulnerability specifically targets the messaging system component of the application where users can attach files to their messages, creating an attack surface that malicious actors can exploit to gain unauthorized access and control over the underlying server infrastructure.
This file upload vulnerability stems from inadequate input validation and sanitization mechanisms within the application's message attachment functionality. The system fails to properly verify the file types being uploaded, allowing attackers to bypass security restrictions and submit PHP files without proper authorization. The flaw essentially creates a backdoor through which malicious actors can upload executable scripts that will be processed by the web server, transforming what should be a simple messaging feature into a potential weapon for remote code execution. The vulnerability manifests when users with student-level access attempt to upload attachments through the messaging interface, exploiting the lack of proper file type restrictions and content validation.
The operational impact of this vulnerability extends far beyond simple unauthorized file uploads, as it enables complete remote code execution on the affected server. Attackers who successfully exploit this weakness can execute arbitrary commands on the target system, potentially leading to data theft, system compromise, or complete server takeover. The implications are particularly severe in educational environments where sensitive student information, academic records, and institutional data are stored. This vulnerability allows attackers to escalate privileges from student-level access to full administrative control, creating opportunities for persistent threats, data exfiltration, and disruption of educational services. The attack vector requires minimal technical expertise, making it particularly dangerous as it can be exploited by threat actors with varying skill levels.
Security professionals should implement multiple layers of defense to mitigate this vulnerability, beginning with immediate patching of the School ERP Pro application to the latest version that addresses this specific flaw. The mitigation strategy must include strict file type validation, where only predetermined safe file extensions are accepted, along with content-based file analysis to detect potentially malicious payloads. Additionally, implementing proper access controls and privilege separation ensures that even if an attacker gains access through this vulnerability, they cannot escalate their privileges beyond the initial compromised account. Network segmentation and monitoring solutions should be deployed to detect and prevent unauthorized file uploads attempts. Organizations should also consider implementing web application firewalls that can identify and block suspicious file upload patterns. The vulnerability aligns with CWE-434, which specifically addresses insecure file upload vulnerabilities, and represents a clear violation of the principle of least privilege. From an ATT&CK framework perspective, this vulnerability maps to T1190 for exploitation of remote services and T1059 for execution of malicious code through command injection, highlighting the multi-faceted nature of the threat. The attack surface created by this vulnerability also enables potential lateral movement within the network, as attackers can use the compromised system as a foothold to access other connected systems and resources.