Shodan
Vulnerabilities
Vulnerable Software
Arox:  Security Vulnerabilities
CVE-2024-4824
Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/office_admin/' index in the parameters groups_id, examname, classes_id, es_voucherid, es_class, etc. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the database.
CVSS Score
9.8
EPSS Score
0.018
Published
2024-05-14
CVE-2024-4823
Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-05-14
CVE-2024-4822
Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the username and password parameters in '/index.php'. This vulnerability allows an attacker to partially take control of the victim's browser session.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-05-14
CVE-2022-32119
Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.
CVSS Score
8.8
EPSS Score
0.123
Published
2022-07-15
CVE-2022-32118
Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.
CVSS Score
6.1
EPSS Score
0.05
Published
2022-07-15
CVE-2020-8504
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-01-31
CVE-2020-8505
School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=deleteadmin CSRF to delete a user.
CVSS Score
6.5
EPSS Score
0.004
Published
2020-01-31
CVE-2019-13294
AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.
CVSS Score
9.8
EPSS Score
0.343
Published
2019-07-04
CVE-2017-15978
AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.
CVSS Score
9.8
EPSS Score
0.014
Published
2017-10-31


Products
Pricing
Contact Us

Shodan ® - All rights reserved