First published: Thu Nov 12 2020(Updated: )
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Sapplica Sentrifugo | =3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-26805.
The severity of CVE-2020-26805 is high (7.2).
This vulnerability allows an attacker with admin privileges to perform SQL injection via the endpoint /sentrifugo/index.php/empadditionaldetails/edit/userid/2, potentially leading to unauthorized access to or modification of employee information in the database.
The affected software version is Sentrifugo 3.2.
There is no known fix for CVE-2020-26805 at the moment. It is recommended to update to a newer version of Sentrifugo if available or apply any patches or mitigations provided by the vendor.