RSS   Vulnerabilities for 'Sentrifugo'   RSS

2020-11-12
 
CVE-2020-26805

CWE-89
 

 
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.

 
 
CVE-2020-26804

CWE-434
 

 
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

 
 
CVE-2020-26803

CWE-434
 

 
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

 
2020-03-13
 
CVE-2020-10218

CWE-89
 

 
A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function.

 
2019-09-06
 
CVE-2019-16059

CWE-352
 

 
Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.

 
2018-08-28
 
CVE-2018-15873

CWE-89
 

 
A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.

 


Copyright 2020, cxsecurity.com

 

Back to Top