#VU65433 Arbitrary file upload in School ERP Pro - CVE-2022-32119
Published: July 19, 2022 / Updated: July 20, 2022
Vulnerability identifier: #VU65433
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2022-32119
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
School ERP Pro
School ERP Pro
Software vendor:
Arox
Arox
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload by the Add Photo function in the photogalleries.inc.php script and the import staff excel function in the 1finance_master.inc.php script. A remote user can upload a malicious file and execute it on the server.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.