汇总 sapplica 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 SQL 注入、跨站脚本与CSRF,在 软件部署与生产负载 使用场景中可能带来 数据泄露与会话劫持 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2024-29879 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.49% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29878 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.49% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29877 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.50% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29876 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.76% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29875 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.87% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29874 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.87% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29873 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29872 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29871 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.86% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29870 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.86% | 2024-03-21 | 2026-06-17 |
| CVE-2023-29770 | In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering. | [email protected] | 8.8 | 0.91% | 2023-11-27 | 2026-06-17 |
| CVE-2020-28365 | Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | [email protected] | 6.1 | 0.69% | 2020-12-30 | 2026-06-16 |
| CVE-2020-26805 | In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. | [email protected] | 7.2 | 1.49% | 2020-11-12 | 2026-06-16 |
| CVE-2020-26804 | In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | [email protected] | 8.8 | 1.39% | 2020-11-12 | 2026-06-16 |
| CVE-2020-26803 | In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | [email protected] | 8.8 | 1.39% | 2020-11-12 | 2026-06-16 |
| CVE-2020-10218 | A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function. | [email protected] | 6.5 | 1.16% | 2020-03-13 | 2026-06-16 |
| CVE-2019-16059 | Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page. | [email protected] | 8.8 | 0.61% | 2019-09-06 | 2026-06-16 |
| CVE-2018-15873 | A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter. | [email protected] | 9.8 | 1.14% | 2018-08-28 | 2026-06-16 |