CVE-2020-37089 | THREATINT

Description

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information.

PUBLISHED Reserved 2026-02-01 | Published 2026-02-03 | Updated 2026-02-04 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

1.0

affected

Credits

Besim ALTINOK finder

References

www.exploit-db.com/exploits/48390 (ExploitDB-48390) exploit

web.archive.org/web/20200129123503/http://arox.in/ (Archived Vendor Homepage) product

web.archive.org/...ceforge.net/projects/school-erp-ultimate/ (Archived SourceForge Product Page) product

www.vulncheck.com/...hool-erp-pro-esmessagesid-sql-injection (VulnCheck Advisory: School ERP Pro 1.0 - 'es_messagesid' SQL Injection) third-party-advisory

cve.org (CVE-2020-37089)

nvd.nist.gov (CVE-2020-37089)

Download JSON