cbcvebase.
CVE-2019-13294
published 2019-07-04

CVE-2019-13294: AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.75%
96.9th percentile
AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.

Detection & IOCsextracted from sources · hover to see the quote

path/greatbritain/greatbritain/upload_fille.php
path/greatbritain/greatbritain/upload_data/
filenameupload_fille.php
filenameimport_stud.php
  • Detect unauthenticated POST requests to upload_fille.php with multipart/form-data containing a PHP file upload (field name 'txtdocname') — no valid session cookie required.
  • Alert on HTTP 200 responses from upload_fille.php containing the string 'Successfully', indicating a successful unauthenticated PHP webshell upload.
  • Monitor GET requests to /greatbritain/greatbritain/upload_data/*.php — this path is used to execute the uploaded PHP webshell after a successful upload.
  • Session control functions on lines 8–10 of the vulnerable scripts are commented out with slashes, meaning any request without a session cookie should be treated as suspicious for these endpoints.
  • Uploaded webshell filenames follow the pattern of 8 random lowercase alpha characters followed by .php (e.g., abcdefgh.php) — flag creation of such files under the upload_data directory.
  • ·The vulnerable upload and execution paths are hardcoded under the 'greatbritain/greatbritain/' subdirectory structure; detections should be scoped to this specific path prefix rather than generic PHP upload endpoints.
  • ·The exploit targets the PHP platform/architecture specifically; detections for webshell execution should focus on PHP process spawning from the web server context.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.