Multiple vulnerabilities in Sentrifugo

Posted date 21/03/2024
Identificador
INCIBE-2024-0153
Importance
5 - Critical
Affected Resources
  • Sentrifugo, 3.2 version.
Description

INCIBE has coordinated the publication of 10 vulnerabilities, 7 of critical severity and 3 of high severity, that affect Sentrifugo version 3.2, a human resources management system, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-29870 to CVE-2024-29876: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89
  • CVE-2024-29877 to CVE-2024-29879: 7.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L  | CWE-79

Solution

There is no solution reported at the moment.

Detail
  • Vulnerability in Sentrifugo 3.2 that consists of a SQL injection, and whose exploitation could allow a remote user to send a specially crafted query to the server and extract all the data from it. The list of assigned CVEs is as follows:
    • CVE-2024-29870: /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter.
    • CVE-2024-29871: /sentrifugo/index.php/index/updatecontactnumber, 'id' parameter.
    • CVE-2024-29872: /sentrifugo/index.php/empscreening/add, 'agencyids' parameter.
    • CVE-2024-29873: /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter.
    • CVE-2024-29874: /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter.
    • CVE-2024-29875: /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter.
    • CVE-2024-29876: /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter.
  • Vulnerability in Sentrifugo 3.2, which consists of Cross-Site Scripting (XSS). Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. The list of assigned CVEs is as follows:
    • CVE-2024-29877: /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter.
    • CVE-2024-29878: /sentrifugo/index.php/sitepreference/add, 'description' parameter.
    • CVE-2024-29879: /sentrifugo/index.php/index/getdepartments/format/html,  'business_id' parameter.
References list