CVE-2020-37089

HIGH

School ERP Pro 1.0 - SQL Injection via es_messagesid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37089. PoCs published by Besim.

AI-analyzed exploit summary This is a writeup detailing an SQL injection vulnerability in School ERP Pro 1.0, specifically in the 'es_messagesid' parameter. The writeup includes vulnerable code snippets and SQLmap output demonstrating boolean-based blind and UNION-based SQL injection techniques.

Description

School ERP Pro 1.0 contains a SQL injection vulnerability in the 'es_messagesid' parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information.

Exploits (1)

exploitdb WRITEUP
by Besim · textwebappsphp
https://www.exploit-db.com/exploits/48390

This is a writeup detailing an SQL injection vulnerability in School ERP Pro 1.0, specifically in the 'es_messagesid' parameter. The writeup includes vulnerable code snippets and SQLmap output demonstrating boolean-based blind and UNION-based SQL injection techniques.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: School ERP Pro 1.0
Auth required
Prerequisites: Access to the vulnerable application · Valid session with student privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.2
EPSS 0.0034
EPSS Percentile 25.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
arox/school_erp_pro 1.0
Published Feb 03, 2026
Tracked Since Feb 18, 2026