Sentrifugo
by Sentrifugo
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-15873 | Cri | 0.64 | 9.8 | 0.01 | Aug 28, 2018 | A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter. | ||
| CVE-2019-15813 | 0.03 | — | 0.33 | Sep 4, 2019 | Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell. | |||
| CVE-2024-29879 | 0.00 | — | 0.00 | Mar 21, 2024 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal… | |||
| CVE-2024-29878 | 0.00 | — | 0.00 | Mar 21, 2024 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | |||
| CVE-2024-29877 | 0.00 | — | 0.01 | Mar 21, 2024 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and… | |||
| CVE-2024-29876 | 0.00 | — | 0.01 | Mar 21, 2024 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | |||
| CVE-2024-29875 | 0.00 | — | 0.01 | Mar 21, 2024 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data… | |||
| CVE-2024-29874 | 0.00 | — | 0.01 | Mar 21, 2024 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from… | |||
| CVE-2024-29873 | 0.00 | — | 0.01 | Mar 21, 2024 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from… | |||
| CVE-2024-29872 | 0.00 | — | 0.01 | Mar 21, 2024 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | |||
| CVE-2024-29871 | 0.00 | — | 0.01 | Mar 21, 2024 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and… | |||
| CVE-2024-29870 | 0.00 | — | 0.01 | Mar 21, 2024 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote… | |||
| CVE-2023-29770 | 0.00 | — | 0.01 | Nov 27, 2023 | In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering. | |||
| CVE-2020-26803 | 0.00 | — | 0.01 | Nov 12, 2020 | In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | |||
| CVE-2020-26804 | 0.00 | — | 0.01 | Nov 12, 2020 | In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so… | |||
| CVE-2020-26805 | 0.00 | — | 0.01 | Nov 12, 2020 | In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data… | |||
| CVE-2019-16059 | 0.00 | — | 0.01 | Sep 6, 2019 | Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page. |
- risk 0.64cvss 9.8epss 0.01
A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.
- CVE-2019-15813Sep 4, 2019risk 0.03cvss —epss 0.33
Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.
- CVE-2024-29879Mar 21, 2024risk 0.00cvss —epss 0.00
Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal…
- CVE-2024-29878Mar 21, 2024risk 0.00cvss —epss 0.00
Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.
- CVE-2024-29877Mar 21, 2024risk 0.00cvss —epss 0.01
Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and…
- CVE-2024-29876Mar 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
- CVE-2024-29875Mar 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data…
- CVE-2024-29874Mar 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from…
- CVE-2024-29873Mar 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from…
- CVE-2024-29872Mar 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.
- CVE-2024-29871Mar 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and…
- CVE-2024-29870Mar 21, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote…
- CVE-2023-29770Nov 27, 2023risk 0.00cvss —epss 0.01
In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.
- CVE-2020-26803Nov 12, 2020risk 0.00cvss —epss 0.01
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
- CVE-2020-26804Nov 12, 2020risk 0.00cvss —epss 0.01
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so…
- CVE-2020-26805Nov 12, 2020risk 0.00cvss —epss 0.01
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data…
- CVE-2019-16059Sep 6, 2019risk 0.00cvss —epss 0.01
Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.