CVE-2020-26805: SQL Injection
First published: Thu Nov 12 2020(Updated: )
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sapplica Sentrifugo | =3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-26805.
What is the severity of CVE-2020-26805?
The severity of CVE-2020-26805 is high (7.2).
How does this vulnerability impact Sentrifugo 3.2?
This vulnerability allows an attacker with admin privileges to perform SQL injection via the endpoint /sentrifugo/index.php/empadditionaldetails/edit/userid/2, potentially leading to unauthorized access to or modification of employee information in the database.
What is the affected software version?
The affected software version is Sentrifugo 3.2.
Is there a fix available for CVE-2020-26805?
There is no known fix for CVE-2020-26805 at the moment. It is recommended to update to a newer version of Sentrifugo if available or apply any patches or mitigations provided by the vendor.
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/sapplica
- canonical/sapplica sentrifugo
- version/sapplica sentrifugo/3.2