Sapplica Sentrifugo vulnerabilities
18 known vulnerabilities affecting sapplica/sentrifugo.
Total CVEs
18
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH5MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2018-15873P3CRITICALCVSS 9.8PoCv3.22018-08-28
CVE-2018-15873 [CRITICAL] CWE-89 CVE-2018-15873: A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.
A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.
nvd
CVE-2020-26804P3HIGHCVSS 8.8v3.22020-11-12
CVE-2020-26804 [HIGH] CWE-434 CVE-2020-26804: In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also,
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the ser
nvd
CVE-2020-26803P3HIGHCVSS 8.8v3.22020-11-12
CVE-2020-26803 [HIGH] CWE-434 CVE-2020-26803: In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functio
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
nvd
CVE-2023-29770P3HIGHCVSS 8.8v3.52023-11-28
CVE-2023-29770 [HIGH] CWE-434 CVE-2023-29770: In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker
In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.
nvd
CVE-2024-29870P3CRITICALCVSS 9.8v3.22024-03-21
CVE-2024-29870 [CRITICAL] CWE-89 CVE-2024-29870: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/fo
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the d
nvd
CVE-2024-29872P3CRITICALCVSS 9.8v3.22024-03-21
CVE-2024-29872 [CRITICAL] CWE-89 CVE-2024-29872: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agen
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
nvd
CVE-2024-29873P3CRITICALCVSS 9.8v3.22024-03-21
CVE-2024-29873 [CRITICAL] CWE-89 CVE-2024-29873: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/f
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
nvd
CVE-2024-29876P3CRITICALCVSS 9.8v3.22024-03-21
CVE-2024-29876 [CRITICAL] CWE-89 CVE-2024-29876: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogre
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
nvd
CVE-2024-29874P3CRITICALCVSS 9.8v3.22024-03-21
CVE-2024-29874 [CRITICAL] CWE-89 CVE-2024-29874: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeu
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
nvd
CVE-2024-29875P3CRITICALCVSS 9.8v3.22024-03-21
CVE-2024-29875 [CRITICAL] CWE-89 CVE-2024-29875: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/export
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
nvd
CVE-2024-29871P3CRITICALCVSS 9.8v3.22024-03-21
CVE-2024-29871 [CRITICAL] CWE-89 CVE-2024-29871: SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/se
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
nvd
CVE-2020-26805P3HIGHCVSS 7.2v3.22020-11-12
CVE-2020-26805 [HIGH] CWE-89 CVE-2020-26805: In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.ph
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.
nvd
CVE-2019-16059P3HIGHCVSS 8.8v3.22019-09-06
CVE-2019-16059 [HIGH] CWE-352 CVE-2019-16059: Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into
Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.
nvd
CVE-2020-10218P3MEDIUMCVSS 6.5v3.22020-03-13
CVE-2020-10218 [MEDIUM] CWE-89 CVE-2020-10218: A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroup
A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function.
nvd
CVE-2020-28365P4MEDIUMCVSS 6.1v3.22020-12-30
CVE-2020-28365 [MEDIUM] CWE-79 CVE-2020-28365: Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within
Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
nvd
CVE-2024-29877P4MEDIUMCVSS 6.1v3.22024-03-21
CVE-2024-29877 [MEDIUM] CWE-79 CVE-2024-29877: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses
Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
nvd
CVE-2024-29879P4MEDIUMCVSS 6.1v3.22024-03-21
CVE-2024-29879 [MEDIUM] CWE-79 CVE-2024-29879: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/ge
Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
nvd
CVE-2024-29878P4MEDIUMCVSS 6.1v3.22024-03-21
CVE-2024-29878 [MEDIUM] CWE-79 CVE-2024-29878: Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepref
Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
nvd