CVE-2022-32119

HIGH

Arox School ERP Pro 1.0 - Arbitrary File Upload via Add Photo and Import Staff Excel Functions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-32119. PoCs published by JC175.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2022-32119, demonstrating unrestricted file upload vulnerabilities in multiple endpoints of the Arox system, allowing arbitrary PHP code execution. It includes detailed HTTP request templates for both authenticated and unauthenticated exploitation paths.

Description

Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.

Exploits (1)

nomisec WORKING POC 17 stars
by JC175 · poc
https://github.com/JC175/CVE-2022-32119

This repository provides a functional proof-of-concept for CVE-2022-32119, demonstrating unrestricted file upload vulnerabilities in multiple endpoints of the Arox system, allowing arbitrary PHP code execution. It includes detailed HTTP request templates for both authenticated and unauthenticated exploitation paths.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Arox (version not specified)
Auth required
Prerequisites: Access to vulnerable endpoints · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Not Applicable x_refsource_misc
http://school.com
Not Applicable x_refsource_misc
http://arox.com
Exploit, Third Party Advisory x_refsource_misc
https://github.com/JC175/CVE-2022-32119

Scores

CVSS v3 8.8
EPSS 0.0199
EPSS Percentile 78.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
arox/school_erp_pro 1.0
Published Jul 15, 2022
Tracked Since Feb 18, 2026