sapplica 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk sql injection、vendor risk cross-site scripting, and vendor risk csrf があり、vendor surface software deployment and vendor surface production workloads の利用場面で vendor impact data exposure and vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-29879 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.08% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29878 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.09% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29877 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.08% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29876 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.76% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29875 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29874 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29873 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29872 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29871 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2025-01-24 |
| CVE-2024-29870 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.80% | 2024-03-21 | 2025-01-24 |
| CVE-2023-29770 | In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering. | [email protected] | 8.8 | 0.12% | 2023-11-28 | 2024-11-21 |
| CVE-2020-28365 | Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | [email protected] | 6.1 | 0.33% | 2020-12-30 | 2024-11-21 |
| CVE-2020-26805 | In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. | [email protected] | 7.2 | 0.53% | 2020-11-12 | 2024-11-21 |
| CVE-2020-26804 | In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | [email protected] | 8.8 | 0.42% | 2020-11-12 | 2024-11-21 |
| CVE-2020-26803 | In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | [email protected] | 8.8 | 0.42% | 2020-11-12 | 2024-11-21 |
| CVE-2020-10218 | A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function. | [email protected] | 6.5 | 0.23% | 2020-03-13 | 2024-11-21 |
| CVE-2019-16059 | Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page. | [email protected] | 8.8 | 0.14% | 2019-09-06 | 2024-11-21 |
| CVE-2018-15873 | A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter. | [email protected] | 9.8 | 0.26% | 2018-08-28 | 2024-11-21 |