CVE-2024-29870

Name of the Vulnerable Software and Affected Versions Sentrifugo version 3.2

Description The issue is related to a SQL injection vulnerability. It could allow a remote user to send a specially crafted query to the server and extract all the data from it. The vulnerability is exploited through the /sentrifugo/index.php/index/getdepartments/format/html endpoint, specifically targeting the business id parameter.

Recommendations For Sentrifugo version 3.2, as a temporary workaround, consider disabling access to the /sentrifugo/index.php/index/getdepartments/format/html endpoint until a patch is available. Restrict the use of the business id parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.