CVE-2020-8504

School Management Software PHP/mySQL through 2019-03-14 allows office_admin/?action=addadmin CSRF to add an administrative user.
Source: NIST
CVE-2020-8504