CVE-2020-26805

Name of the Vulnerable Software and Affected Versions Sentrifugo version 3.2

Description The issue allows an admin to edit employee information via the "/sentrifugo/index.php/empadditionaldetails/edit/userid/2" endpoint. The employeeNumId parameter in this POST request is affected by a SQL injection vulnerability, enabling an attacker to inject SQL commands into the query, read data from the database, or write data into the database.

Recommendations For Sentrifugo version 3.2, as a temporary workaround, consider restricting access to the "/sentrifugo/index.php/empadditionaldetails/edit/userid/2" endpoint until a patch is available. Avoid using the employeeNumId parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.