First published: Thu Nov 12 2020(Updated: )
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Sapplica Sentrifugo | =3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-26804.
The severity of CVE-2020-26804 is high with a severity value of 8.8.
An attacker can exploit the Unrestricted File Upload vulnerability in Sentrifugo 3.2 by uploading malicious files as attachments when sharing announcements.
Sentrifugo version 3.2 is affected by CVE-2020-26804.
Yes, it is recommended to update to a patched version of Sentrifugo to fix the Unrestricted File Upload vulnerability.