彙總 sapplica 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 SQL 注入、跨站腳本與CSRF,在 軟體部署與生產負載 使用場景中可能帶來 資料外洩與工作階段劫持 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2024-29879 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.49% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29878 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.49% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29877 | Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. | [email protected] | 7.1 | 0.50% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29876 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.76% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29875 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.87% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29874 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.87% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29873 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29872 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.78% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29871 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.86% | 2024-03-21 | 2026-06-17 |
| CVE-2024-29870 | SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. | [email protected] | 9.8 | 0.86% | 2024-03-21 | 2026-06-17 |
| CVE-2023-29770 | In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering. | [email protected] | 8.8 | 0.91% | 2023-11-27 | 2026-06-17 |
| CVE-2020-28365 | Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | [email protected] | 6.1 | 0.69% | 2020-12-30 | 2026-06-16 |
| CVE-2020-26805 | In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. | [email protected] | 7.2 | 1.49% | 2020-11-12 | 2026-06-16 |
| CVE-2020-26804 | In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | [email protected] | 8.8 | 1.39% | 2020-11-12 | 2026-06-16 |
| CVE-2020-26803 | In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server. | [email protected] | 8.8 | 1.39% | 2020-11-12 | 2026-06-16 |
| CVE-2020-10218 | A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function. | [email protected] | 6.5 | 1.16% | 2020-03-13 | 2026-06-16 |
| CVE-2019-16059 | Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page. | [email protected] | 8.8 | 0.61% | 2019-09-06 | 2026-06-16 |
| CVE-2018-15873 | A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter. | [email protected] | 9.8 | 1.14% | 2018-08-28 | 2026-06-16 |