Sentrifugo@3.2 Security Vulnerabilities and Issues — Sentrifugo@3.2 CVE List

Lucene search

SapplicaSentrifugo3.2

17 matches found

CVE•added 2019/09/06 7:15 p.m.•61 views

CVE-2019-16059

Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.

8.8CVSS8.4AI score0.00145EPSS

CVE•added 2020/11/12 7:15 p.m.•57 views

CVE-2020-26805

In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or wri...

7.2CVSS7.3AI score0.00533EPSS

CVE•added 2024/03/21 2:15 p.m.•57 views

CVE-2024-29870

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a speciall...

9.8CVSS9.7AI score0.00591EPSS

CVE•added 2024/03/21 2:15 p.m.•53 views

CVE-2024-29872

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

9.8CVSS9.7AI score0.00573EPSS

CVE•added 2024/03/21 2:15 p.m.•50 views

CVE-2024-29875

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

9.8CVSS9.7AI score0.00573EPSS

CVE•added 2024/03/21 2:15 p.m.•49 views

CVE-2024-29873

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

9.8CVSS9.7AI score0.00573EPSS

CVE•added 2024/03/21 2:15 p.m.•49 views

CVE-2024-29876

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

9.8CVSS9.7AI score0.00562EPSS

CVE•added 2024/03/21 2:15 p.m.•49 views

CVE-2024-29877

Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.

7.1CVSS6.3AI score0.00058EPSS

CVE•added 2024/03/21 2:15 p.m.•49 views

CVE-2024-29878

Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.

7.1CVSS6.3AI score0.00068EPSS

CVE•added 2024/03/21 2:15 p.m.•46 views

CVE-2024-29871

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data...

9.8CVSS9.7AI score0.00573EPSS

CVE•added 2024/03/21 2:15 p.m.•46 views

CVE-2024-29874

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

9.8CVSS9.7AI score0.00573EPSS

CVE•added 2024/03/21 2:15 p.m.•46 views

CVE-2024-29879

Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.

7.1CVSS6.3AI score0.00058EPSS

CVE•added 2018/08/28 7:29 p.m.•43 views

CVE-2018-15873

A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.

9.8CVSS9.8AI score0.00264EPSS

CVE•added 2020/11/12 7:15 p.m.•37 views

CVE-2020-26803

In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

8.8CVSS8.6AI score0.00423EPSS

CVE•added 2020/11/12 7:15 p.m.•37 views

CVE-2020-26804

In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload ma...

8.8CVSS8.6AI score0.00423EPSS

CVE•added 2020/12/30 7:15 p.m.•37 views

CVE-2020-28365

Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by ...

6.1CVSS5.7AI score0.0024EPSS

CVE•added 2020/03/13 5:15 p.m.•36 views

CVE-2020-10218

A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function.

6.5CVSS7AI score0.00229EPSS