Vulnerabilities (CVE)

Filtered by vendor Sapplica Subscribe
Total 8 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-28365 1 Sapplica 1 Sentrifugo 2024-08-04 4.3 MEDIUM 6.1 MEDIUM
Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVE-2023-29770 1 Sapplica 1 Sentrifugo 2024-02-28 N/A 8.8 HIGH
In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.
CVE-2020-26803 1 Sapplica 1 Sentrifugo 2024-02-28 6.5 MEDIUM 8.8 HIGH
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
CVE-2020-26805 1 Sapplica 1 Sentrifugo 2024-02-28 6.5 MEDIUM 7.2 HIGH
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.
CVE-2020-26804 1 Sapplica 1 Sentrifugo 2024-02-28 6.5 MEDIUM 8.8 HIGH
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
CVE-2020-10218 1 Sapplica 1 Sentrifugo 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function.
CVE-2019-16059 1 Sapplica 1 Sentrifugo 2024-02-28 6.8 MEDIUM 8.8 HIGH
Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.
CVE-2018-15873 1 Sapplica 1 Sentrifugo 2024-02-28 7.5 HIGH 9.8 CRITICAL
A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.